ops-dockerlisted

# Docker Containerization (pointer) Dockerfile syntax, Compose schema and image-publish flows drift on each release and are canonical at: - **Docker official** — [docs.docker.com](https://docs.docker.com) (Engine + Compose + Buildx) - **Dockerfile best practices** — [docs.docker.com/develop/develop-images/dockerfile_best-practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) - **Snyk Container Security** — [snyk.io/learn/container-security](https://snyk.io/learn/container-security/) (vulnerability scanning, base-image hardening) - **Hadolint** — [github.com/hadolint/hadolint](https://github.com/hadolint/hadolint) (Dockerfile linter, CI-integrable) - **Dive** — [github.com/wagoodman/dive](https://github.com/wagoodman/dive) (image layer analysis) ## Foundation discipline (keep across releases) - **Multi-stage builds**: always separate build deps from runtime image. The "node:20 with full npm" image weighs 1GB+; the runtime layer should be ~100MB. Build stage produces artifacts, runtime stage copies them in. - **Non-root user**: `RUN addgroup -S app && adduser -S app -G app && USER app` — never run app code as root inside the container, even if "it's just a sandbox". - **.dockerignore mandatory**: forgotten `.git/` or `node_modules/` in the build context bloats images by hundreds of MB and leaks secrets. The `.dockerignore` rules mirror your `.gitignore` plus build artifacts. - **HEALTHCHECK at the Dockerfile level**: not just at the orchestrat