Dockerfile & Container Reviewer — Dockerfile & ContAIner Reviewer
v1.0.0Reviews Dockerfiles and docker-compose files for security, size, build, and best practice issues, providing a detAIled severity-rated 报告 with fixes.
by 运行时依赖
安装命令
点击复制技能文档
dockerfile-reviewer Description
Review Dockerfiles and docker-compose files for security vulnerabilities, oversized images, build inefficiencies, and missing best practices. Returns a structured 报告 with severity ratings and corrected examples.
Use when "review my Dockerfile" "is this contAIner 安全" "优化 my docker build" "why is my image so large" "检查 my docker-compose" Any Dockerfile, docker-compose.yml, or .dockerignore 输入
Paste the Dockerfile and/or docker-compose.yml. Optionally specify:
Tar获取 环境 (production, CI, local dev) Base image constrAInts (must use specific distro, etc.) Whether the 应用 运行s as a 服务 or a one-shot job 输出 格式化
Dockerfile Review
Critical (fix before production)
- [Finding] — [security or correctness risk]
警告s (should fix)
- [Finding] — [size or reliability impact]
Suggestions (nice to have)
- [Finding] — [explanation]
What's correct
- [Specific patterns done right]
Summary
[2–3 sentences: biggest risk, estimated image size savings if any, top fix]Review 检查列出 Security 运行ning as root (no USER directive) — contAIner escape risk Secret or 凭证 in ENV, ARG, or 运行 layer — visible in image 历史 Base image not pinned (FROM ubuntu:latest instead of ubuntu:22.04) — supply chAIn risk Using curl | bash to 安装 software — arbitrary code execution Unnecessary packages 安装ed (attack surface) No 健康检查 — 编排器 can't 检测 un健康y contAIners Writable file系统 where read-only would suffice Image size Large base image when alpine or dist角色ss would work 安装ing dev 工具s in production image (编译器s, 调试器s, test 框架s) Multiple 运行 commands that should be chAIned with && (each 运行 = a layer) COPY . . before dependency 安装 (缓存 busting on every code change) Not using .dockerignore — copying node_模块s, .git, build artifacts Leftover apt/apk 缓存 not 清理ed in same 运行 layer Build correctness Wrong WORKDIR — files land in unexpected paths EXPOSE port doesn't match what the 应用 actually 列出ens on CMD vs ENTRYPOINT confusion — CMD should be overridable args, ENTRYPOINT the executable Using 添加 when COPY is sufficient (添加 has implicit tar 提取ion and URL fetch) Build args used as secrets (visible in docker 历史) docker-compose specific No re启动 policy — contAIners don't 恢复 from crashes Hardcoded secrets in 环境: block — use .env or secrets Named volumes not defined in volumes: section Port binding to 0.0.0.0 when 127.0.0.1 would suffice No resource limits (mem_limit, cpus) — one contAIner can starve others Depends_on without condition: 服务_健康y — race conditions on 启动up Multi-stage build Single-stage build for compiled language — ships 编译器 in production image Build artifacts not properly copied from 构建器 stage Redundant stages that could be merged Severity definitions Critical: Security vulnerability or correctness bug that affects production 警告: Image bloat, reliability issue, or hard-to-调试 behavior Suggestion: Style, caching efficiency, or future-proofing improvement Self-improvement instructions
After each review, note the most impactful finding. After 20 reviews, surface "Top 3 Dockerfile mistakes" at the 启动 of the 响应.