Docker Official Images Standards
Audience: DevOps engineers, image maintainers
WHAT
Docker Official Images quality and maintainability standards with DockerKit’s compliance status across all 15 requirements.
WHY
Aligning with Docker Official Images standards ensures DockerKit images meet the highest bar for security, documentation, and reproducibility.
HOW
Requirements Compliance
1. Clear Documentation ✅
Requirement: Comprehensive README with examples, configuration, and usage
Implementation:
- ✅ Main README.md with installation and usage
- ✅ docs/ folder with detailed guides
- ✅ Example commands and configurations
- ✅ Version compatibility matrix
Documentation Structure:
docs/
├── docker_best_practices_validation.md
├── docker_image_comparison.md
├── standards/
│ ├── cis_docker_benchmark.md
│ ├── owasp_container_security.md
│ └── docker_official_images.md
└── README.md
2. Dockerfile Best Practices ✅
Requirement: Follow Dockerfile best practices
Implementation:
# ✅ Specific version tags
FROM alpine:3.19.1
# ✅ Metadata labels
LABEL maintainer="DCK Team" \
version="1.0.0" \
description="Docker Management Toolkit" \
org.opencontainers.image.source="https://github.com/phdsystems/dck"
# ✅ Combine RUN commands
RUN apk add --no-cache \
bash=5.2.21-r0 \
curl=8.12.1-r0 \
&& rm -rf /var/cache/apk/*
# ✅ Use COPY not ADD
COPY --chown=dck:dck ./src/ /opt/dck/src/
# ✅ Non-root user
USER dck
# ✅ HEALTHCHECK
HEALTHCHECK --interval=30s --timeout=3s \
CMD dck version || exit 1
3. Build Reproducibility ✅
Requirement: Builds must be reproducible
Implementation:
- ✅ All base images version-pinned
- ✅ All packages version-pinned
- ✅ No
latesttags - ✅ BuildKit cache mounts for consistency
Version Pinning:
# Base image
FROM alpine:3.19.1
# Packages with exact versions
RUN apk add --no-cache \
bash=5.2.21-r0 \
curl=8.12.1-r0 \
jq=1.7.1-r0 \
git=2.43.7-r0 \
docker-cli=25.0.5-r1 \
docker-cli-compose=2.23.3-r3
4. Multiple Variants ✅
Requirement: Provide variants for different use cases
Implementation: | Variant | File | Use Case | Size | |———|——|———-|——| | Standard | Dockerfile | Development | 108MB | | Multi-stage | Dockerfile.multistage | CI/CD with validation | 108MB | | Minimal | Dockerfile.minimal | Production | 30.4MB | | Distroless | Dockerfile.distroless | High-security | 3.26MB |
5. Regular Updates ✅
Requirement: Automated updates and security patches
Implementation:
- ✅ GitHub Actions for automated builds
- ✅ Dependabot for dependency updates
- ✅ Security scanning on every push
- ✅ Weekly rebuild schedule
CI/CD Pipeline:
name: Docker Image CI
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly rebuild
6. Security Scanning ✅
Requirement: Regular vulnerability scanning
Implementation:
- ✅ Hadolint for Dockerfile linting
- ✅ Trivy for vulnerability scanning
- ✅ Docker Scout for supply chain security
- ✅ Automated in CI/CD pipeline
7. Minimal Layers ✅
Requirement: Optimize layer count and caching
Implementation:
# ✅ Single RUN command for related operations
RUN apk add --no-cache \
bash curl jq git \
&& addgroup -g 1000 dck \
&& adduser -D -u 1000 -G dck dck \
&& mkdir -p /opt/dck /var/lib/dck \
&& chown -R dck:dck /opt/dck /var/lib/dck
# ✅ Order by change frequency
COPY ./docs/ /opt/dck/docs/ # Rarely changes
COPY ./lib/ /opt/dck/lib/ # Sometimes changes
COPY ./src/ /opt/dck/src/ # Often changes
8. Standard Base Images ✅
Requirement: Use official base images
Implementation:
- ✅
alpine:3.19.1- Official Alpine Linux - ✅
golang:1.21-alpine- Official Go image - ✅
gcr.io/distroless/static- Google’s distroless - ❌ No custom or untrusted base images
9. Clear Tagging Strategy ✅
Requirement: Consistent version tagging
Implementation:
# Semantic versioning
dck:1.0.0 # Specific version
dck:1.0 # Minor version
dck:1 # Major version
dck:latest # Latest stable
# Variant tags
dck:1.0.0-minimal
dck:1.0.0-distroless
dck:1.0.0-alpine
10. No Root by Default ✅
Requirement: Containers must not run as root
Implementation:
# Create user with specific UID
RUN addgroup -g 1000 dck && \
adduser -D -u 1000 -G dck -s /bin/bash dck
# Switch to non-root user
USER dck
# Verify non-root
RUN whoami # Should output: dck
11. Architecture Support ✅
Requirement: Multi-architecture support
Implementation:
# BuildKit cross-compilation support
# syntax=docker/dockerfile:1.4
# Multi-platform build
docker buildx build \
--platform linux/amd64,linux/arm64 \
-t dck:latest .
12. License Compliance ✅
Requirement: Clear licensing
Implementation:
- ✅ LICENSE file in repository
- ✅ License headers in source files
- ✅ SPDX identifiers in metadata
- ✅ No proprietary dependencies
13. Maintenance Contact ✅
Requirement: Active maintainer contact
Implementation:
LABEL maintainer="DCK Team" \
org.opencontainers.image.authors="dck@phdsystems.com" \
org.opencontainers.image.vendor="PHD Systems"
14. Build Context Optimization ✅
Requirement: Minimal build context
Implementation in .dockerignore:
# Version control
.git
.github
# Development
*.md
docs/
tests/
*.log
# Secrets
.env
*.key
*.pem
# Build artifacts
*.tar
*.zip
15. Entrypoint Best Practices ✅
Requirement: Proper ENTRYPOINT/CMD usage
Implementation:
# Executable as ENTRYPOINT
ENTRYPOINT ["dck"]
# Default arguments as CMD
CMD ["--help"]
# Allows both:
# docker run dck:latest # Shows help
# docker run dck:latest version # Runs version command
Validation Checklist
| Requirement | Status | Evidence |
|---|---|---|
| Documentation | ✅ | README.md, docs/ |
| Best Practices | ✅ | Hadolint passing |
| Reproducibility | ✅ | Pinned versions |
| Multiple Variants | ✅ | 4 Dockerfiles |
| Regular Updates | ✅ | GitHub Actions |
| Security Scanning | ✅ | Trivy, Scout |
| Minimal Layers | ✅ | Optimized COPY |
| Official Base | ✅ | Alpine official |
| Version Tags | ✅ | Semantic versioning |
| Non-root | ✅ | USER dck |
| Multi-arch | ✅ | BuildKit support |
| License | ✅ | MIT License |
| Maintainer | ✅ | Labels present |
| Build Context | ✅ | .dockerignore |
| Entrypoint | ✅ | Proper usage |
Testing Commands
Build Validation
# Lint Dockerfile
hadolint Dockerfile
# Build with BuildKit
DOCKER_BUILDKIT=1 docker build -t dck:test .
# Test non-root user
docker run --rm dck:test whoami
# Expected: dck
# Test health check
docker run --name test -d dck:test
docker inspect test --format=''
# Expected: healthy
Security Validation
# Check for vulnerabilities
trivy image dck:test
# Verify no root
docker run --rm dck:test id
# Expected: uid=1000(dck) gid=1000(dck)
# Check image layers
docker history dck:test
Submission Process
To submit as Docker Official Image:
- Fork docker-library/official-images
- Add library/dck file:
Maintainers: DCK Team <dck@phdsystems.com> GitRepo: https://github.com/phdsystems/dck.git Tags: 1.0.0, 1.0, 1, latest Architectures: amd64, arm64v8 GitCommit: abc123... Directory: . - Submit Pull Request
- Address Review Feedback