Dockerfile Best Practices Checklist

A reusable Dockerfile checklist to reduce image size, improve build speed, and strengthen container security.

A good Dockerfile does more than make a container build successfully. It affects image size, build speed, cache reuse, security posture, and how easy your application is to debug and deploy. This checklist is designed as a reusable review guide for teams that build web apps, APIs, workers, and internal services. Use it before merging a new Dockerfile, when changing base images or package managers, and anytime your deployment workflow starts feeling slower, heavier, or harder to trust.

Overview

This article gives you a practical Dockerfile best practices checklist for smaller, faster, more secure images. Rather than treating Dockerfile design as a one-time setup task, it helps you review the parts that usually drift over time: base image selection, dependency installation, layer ordering, runtime configuration, and security controls.

The main goal is not to make every image as tiny as possible at all costs. The real goal is to build images that are appropriate for production: fast enough to build in CI, small enough to transfer efficiently, predictable enough to reproduce, and locked down enough to reduce unnecessary risk.

If you work in DevOps, platform engineering, or application delivery, this checklist is especially useful because Dockerfiles often become shared infrastructure. One weak pattern gets copied across repositories. One strong pattern can improve many services at once.

Before the detailed checklist, keep these principles in mind:

Start from a purpose-built base image. The base image affects size, compatibility, patching workflow, and default attack surface.
Order instructions for cache efficiency. Stable layers should come before frequently changing layers.
Install only what the application needs. Build tools and debug utilities should not automatically ship to production.
Run as a non-root user when practical. This is one of the simplest hardening steps.
Separate build-time concerns from runtime concerns. Multi-stage builds make this much easier.
Treat the Dockerfile as maintainable infrastructure code. Clarity matters. Future maintainers need to understand why an image is built a certain way.

For teams deploying Node.js services, container choices also affect hosting strategy and operational tradeoffs. If you are comparing where to run containerized apps, see Best Hosting for Node.js Apps: VPS, PaaS, and Serverless Options Compared.

Checklist by scenario

Use this section as your working checklist. Not every item applies to every project, but most production Dockerfiles should pass a large portion of it.

Scenario 1: Any production Dockerfile

Choose a minimal, maintained base image. Avoid oversized general-purpose images unless you need them for compatibility or tooling.
Pin the base image to a specific version or digest when your workflow requires reproducibility. Floating tags are convenient but can introduce unexpected changes.
Add a clear WORKDIR. This improves readability and avoids path confusion.
Copy only the files needed for the current build step. Start with dependency manifests before copying the rest of the application.
Use a .dockerignore file. Exclude node_modules, local build output, test artifacts, logs, and secrets. This reduces context size and avoids accidental leakage.
Combine related commands carefully. This can reduce layer count, but readability still matters.
Clean up package manager caches if they are not needed in the final image. Temporary files often remain unless explicitly removed.
Use CMD for the default runtime command and ENTRYPOINT only when you truly need fixed execution behavior.
Expose only the intended port. Treat it as documentation for maintainers even when your platform handles networking separately.
Set a non-root user for runtime. If your app needs privileged access, make that exception explicit rather than accidental.

Scenario 2: Node.js and JavaScript applications

Copy dependency files first. For example, copy package.json and lockfiles before the application source so dependency installation can be cached.
Use deterministic installs. Prefer workflow patterns that respect lockfiles and reduce drift between local, CI, and production environments.
Separate dev dependencies from production dependencies when building for runtime. Build-time tools often do not belong in the final image.
Compile assets in a builder stage. Front-end bundles, TypeScript output, or generated files can be produced in one stage and copied into a smaller runtime stage.
Avoid copying local node_modules into the image. Host operating system differences can produce broken or bloated images.
Be explicit about environment variables. Default values should be safe, and secrets should not be baked into the image.

If your app exposes APIs, your container review often overlaps with request testing and environment validation. Related workflow guidance: API Testing Tools Compared: Postman vs Insomnia vs Hoppscotch.

Scenario 3: Multi-stage builds

Use one stage for building and one for running. This is the simplest way to optimize Docker image size without sacrificing build tooling.
Name stages clearly. Labels such as builder, test, and runtime make Dockerfiles easier to read.
Copy only the runtime artifacts. Do not copy package caches, source maps, test fixtures, or unused binaries unless they are required.
Keep the runtime image focused. If a shell, compiler, or package manager is not needed in production, it usually does not belong there.

For many teams, multi-stage builds are the single highest-impact optimization because they improve both size and security without requiring major application changes.

Scenario 4: Security-focused images

Do not store secrets in the Dockerfile. Avoid hardcoded API keys, tokens, certificates, or private URLs.
Review every RUN curl or remote install command. Remote scripts increase supply chain risk and should be justified and controlled.
Reduce installed packages. Every extra package adds maintenance and potential vulnerability exposure.
Use non-root execution. Create a dedicated user and switch to it before runtime.
Set file ownership intentionally. Avoid broad permissions such as world-writable directories unless they are required.
Scan images in CI. The Dockerfile itself is only part of container security. Dependency and OS package review matter too.
Document exceptions. If you must use a larger base image, root access, or extra tooling, note why.

Scenario 5: Fast CI and repeatable builds

Put stable steps first. Dependency installation should be cached independently from application code whenever possible.
Avoid invalidating the cache unnecessarily. A broad COPY . . too early in the Dockerfile often causes slow rebuilds.
Keep generated files out of the build context unless needed. Large local directories can slow CI significantly.
Use consistent build arguments sparingly. If build args change often, they may invalidate downstream layers.
Test the Dockerfile in clean environments. A build that depends on local machine state is fragile by definition.

Scenario 6: Framework-based web apps

Know whether the app needs a build stage, a server runtime, or only static assets. Not every web project needs the same final image design.
Do not ship development servers to production by accident. This is a common issue in front-end and full-stack frameworks.
Be clear about logs and process behavior. Containers should usually write logs to standard output and exit cleanly on failure.
Keep runtime configuration external where possible. This helps avoid rebuilding images for simple environment changes.

If your team also deploys static front-end projects alongside containerized services, hosting tradeoffs differ from container runtime tradeoffs. A useful comparison is Vercel vs Netlify vs Cloudflare Pages: Best Front-End Hosting for Modern Web Apps.

What to double-check

This section helps you review the parts of a Dockerfile that often look correct at first glance but still hide operational problems.

Base image assumptions

Ask whether the chosen base image still fits the application. Teams often keep the first base image they used even after the app changes. If the service no longer needs build tools, shell utilities, or a large OS layer, you may be carrying unnecessary weight.

Also confirm that your team understands the tradeoff between convenience and minimalism. Smaller is often better, but only if debugging, compatibility, and maintenance remain manageable.

Dependency installation behavior

Check whether dependency installation is deterministic and aligned with your lockfile strategy. If developers get one dependency graph locally and CI gets another, the image may build successfully but behave differently across environments.

For database-backed Node.js services, generated clients and ORM tooling can complicate build steps. If that applies to your stack, standardize where generation happens and whether those artifacts belong in the build stage or runtime stage. Related reading: Node.js ORM Comparison: Prisma vs Drizzle vs TypeORM vs Sequelize.

Runtime command and signal handling

Make sure the final container starts the actual application process directly and shuts down cleanly. Wrapper scripts are sometimes necessary, but they can interfere with signal handling and graceful termination if used carelessly.

File permissions and user context

It is easy to add a non-root user and still leave key application files owned by root or writable in inconsistent ways. Confirm the runtime user can read and write only what is required.

Environment variables and secrets

Double-check that secrets are supplied at runtime or through your secret management workflow, not embedded in image layers. Remember that anything copied into an image can be difficult to treat as private later.

Observability basics

Your Dockerfile does not need to solve logging and monitoring on its own, but it should not make them harder. The application should log in a container-friendly way, and the image should not depend on hidden local paths or machine-specific assumptions. If you are refining logging for Node.js services, see Best Node.js Logging Libraries Compared for APIs, Workers, and Production Apps.

Common mistakes

Most Dockerfile issues are not exotic. They come from a few repeated habits that seem harmless until builds slow down or a deployment incident exposes them.

Using latest everywhere. This makes change tracking harder and can introduce surprises during rebuilds.
Copying the full repository too early. This breaks caching and makes small source changes trigger expensive rebuilds.
Skipping .dockerignore. Large contexts, leaked local files, and accidental secret inclusion often start here.
Keeping build tools in the runtime image. Compilers, package managers, and test utilities increase size and attack surface.
Running as root by default. It is common, but still worth challenging.
Baking secrets into build steps. Even temporary convenience can create long-term risk.
Writing a Dockerfile that only works on one developer machine. If it depends on local files, shell behavior, or undocumented assumptions, it is not production-ready.
Over-optimizing for size while hurting operability. An image that is smaller but impossible to troubleshoot may not be the better choice.
Ignoring comments and clarity. A compact Dockerfile is not automatically a maintainable one. If a step is non-obvious, explain it.

Another common mistake is treating the Dockerfile as isolated from the rest of the delivery workflow. In practice, build pipelines, runtime hosting, API behavior, encoding utilities, and environment debugging all connect. That is why teams often benefit from a broader web dev toolkit approach across deployment and diagnostics, not just one optimized file.

When to revisit

The most useful checklist is one that gets used more than once. Dockerfile best practices change gradually as base images evolve, package managers change behavior, application architecture shifts, and your hosting platform introduces new constraints. Review your Dockerfiles at these moments:

Before a major release cycle. This is a good time to check image size, runtime permissions, and dependency layers.
When changing base images. Even a routine update can affect shell behavior, package installation, file paths, or native dependencies.
When moving platforms. A Dockerfile that worked well on one host may need refinement for another deployment target.
When CI builds become noticeably slower. Cache order and build context size are worth reviewing.
When introducing a new framework, bundler, or package manager. Build and runtime concerns may need to be separated differently.
After a security review or incident. Re-check user permissions, installed tools, and secret handling.
When teams copy a Dockerfile into a new service. Templates should be adapted, not inherited blindly.

To make this practical, create a short team routine:

Open the Dockerfile and .dockerignore together.
Identify the base image, build stage, runtime stage, and startup command.
Ask what can be removed from the final image without harming operations.
Verify the container runs as the least-privileged user that still works.
Check whether secrets are injected at runtime rather than stored in image layers.
Rebuild from a clean environment and confirm the result is reproducible.
Document any deliberate exceptions so future maintainers do not have to guess.

If you want one final rule to keep in mind, use this: optimize Dockerfiles for repeatable delivery, not just successful builds. A production-ready image should be understandable, efficient, and boring in the best possible way.