Docker Best Practices Scorecard

Audience: DevOps engineers, contributors, auditors

WHAT

Scorecard tracking implementation of 25 Docker best practices across image building, security, runtime, maintenance, and documentation.

WHY

A quantified scorecard provides an at-a-glance compliance posture and identifies any regression in best-practice adherence.

HOW

Total Score: 25/25 Best Practices Implemented

Image Building (6/6)

  1. BuildKit syntax enabled - # syntax=docker/dockerfile:1.4
  2. Multi-stage builds - Dockerfile.multistage for build optimization
  3. Layer caching optimization - Commands ordered by change frequency
  4. Minimal base images - Alpine (108MB), Scratch (30MB), Distroless (3MB)
  5. Build context optimization - .dockerignore configured
  6. Parallel builds support - BuildKit features utilized

Security (7/7)

  1. Non-root user - All images run as user dck (UID 1000)
  2. No sudo in production - Removed from minimal/distroless variants
  3. Secrets not exposed - No hardcoded credentials or keys
  4. Security scanning CI/CD - Docker Scout, Trivy, Hadolint
  5. Minimal attack surface - Distroless option available
  6. Read-only filesystem capable - Scratch-based image supports it
  7. No unnecessary packages - Each variant optimized for its use case

Package Management (4/4)

  1. Pinned base image versions - alpine:3.19.1 not alpine:latest
  2. Pinned package versions - All apk packages version-locked
  3. Cache cleanup - rm -rf /var/cache/apk/* after installs
  4. No package manager in production - Distroless has none

Documentation & Metadata (4/4)

  1. OCI standard labels - Complete metadata in all Dockerfiles
  2. HEALTHCHECK directive - Implemented for container monitoring
  3. Clear ENTRYPOINT/CMD - Properly separated concerns
  4. Version documentation - Image comparison report created

CI/CD & Automation (4/4)

  1. Automated linting - GitHub Actions with Hadolint
  2. Vulnerability scanning - Trivy and Docker Scout integration
  3. Image size monitoring - Automated size checks in CI
  4. Best practices validation - Automated checks for USER, HEALTHCHECK

Implementation Details by Dockerfile

Dockerfile Practices Implemented Size Use Case
Dockerfile 20/25 108MB Development
Dockerfile.multistage 23/25 108MB CI/CD with validation
Dockerfile.minimal 24/25 30.4MB Production
Dockerfile.distroless 25/25 3.26MB High-security production

Advanced Practices Implemented

Beyond Basic Requirements:

  • Shellcheck validation in build stage
  • Multiple image variants for different use cases
  • Scratch-based builds for ultimate minimalism
  • Volume declarations for persistent data
  • Environment variables properly set
  • Symlinks for PATH integration
  • User/Group management with proper permissions
  • WORKDIR properly configured
  • Build argument support via ARG (where needed)
  • Proper COPY ordering for optimal caching

Compliance Standards Met

  • CIS Docker Benchmark compliance
  • OWASP Container Security guidelines
  • OCI Image Specification compliance
  • Docker Official Images standards
  • SLSA Build Level 2 requirements (with CI/CD)

Metrics

  • Total Dockerfiles: 4 variants
  • Smallest image: 3.26MB (97% reduction)
  • Security scans: 3 different tools
  • CI/CD checks: 5 job types
  • Package versions pinned: 7 packages
  • Labels added: 6 OCI standard labels