Dockerfiles multi-stage enxutos e seguros

O que esta skill faz

Esta skill ajuda a criar Dockerfiles multi-stage com etapas claras de dependências, build, teste e runtime. Ela também orienta cache de camadas, imagens-base versionadas, usuário não root e uso de .dockerignore.

Quando usar

• Separar compilação e runtime
• Reduzir conteúdo desnecessário da imagem final
• Melhorar o cache do build
• Remover ferramentas de compilação do runtime

Como usar

1. Revise o repositório, o runtime e o processo de build
2. Defina estágios nomeados em ordem lógica
3. Copie ao runtime somente os artefatos necessários
4. Execute o build e valide a inicialização do contêiner

O que revisar antes de instalar

• Alpine e imagens distroless não servem para toda aplicação
• Tags exatas exigem manutenção periódica
• A skill não garante ausência de vulnerabilidades

SKILL.md

---
name: multi-stage-dockerfile
description: 'Create optimized multi-stage Dockerfiles for any language or framework'
---

Your goal is to help me create efficient multi-stage Dockerfiles that follow best practices, resulting in smaller, more secure container images.

## Multi-Stage Structure

- Use a builder stage for compilation, dependency installation, and other build-time operations
- Use a separate runtime stage that only includes what's needed to run the application
- Copy only the necessary artifacts from the builder stage to the runtime stage
- Use meaningful stage names with the `AS` keyword (e.g., `FROM node:18 AS builder`)
- Place stages in logical order: dependencies → build → test → runtime

## Base Images

- Start with official, minimal base images when possible
- Specify exact version tags to ensure reproducible builds (e.g., `python:3.11-slim` not just `python`)
- Consider distroless images for runtime stages where appropriate
- Use Alpine-based images for smaller footprints when compatible with your application
- Ensure the runtime image has the minimal necessary dependencies

## Layer Optimization

- Organize commands to maximize layer caching
- Place commands that change frequently (like code changes) after commands that change less frequently (like dependency installation)
- Use `.dockerignore` to prevent unnecessary files from being included in the build context
- Combine related RUN commands with `&&` to reduce layer count
- Consider using COPY --chown to set permissions in one step

## Security Practices

- Avoid running containers as root - use `USER` instruction to specify a non-root user
- Remove build tools and unnecessary packages from the final image
- Scan the final image for vulnerabilities
- Set restrictive file permissions
- Use multi-stage builds to avoid including build secrets in the final image

## Performance Considerations

- Use build arguments for configuration that might change between environments
- Leverage build cache efficiently by ordering layers from least to most frequently changing
- Consider parallelization in build steps when possible
- Set appropriate environment variables like NODE_ENV=production to optimize runtime behavior
- Use appropriate healthchecks for the application type with the HEALTHCHECK instruction