LowFile-scopeDockerfile Plug & play

Clean up build tools after dependency installation

If a single-stage image must build native deps, remove compilers/headers after install and clear package caches in the same layer.

Why this matters

Avoids shipping unnecessary toolchains and reduces image size and CVE surface.

Side-by-side examples engineers can pattern-match during review.

Avoid

RUN apk add --no-cache build-base python3 && npm ci
# toolchain left installed

Prefer

RUN apk add --no-cache build-base python3 \
 && npm ci \
 && apk del build-base python3 \
 && rm -rf /var/cache/apk/*

Bad

apt-get install build-essential && npm ci

Good

apt-get update && apt-get install ... && npm ci && apt-get purge -y ... && rm -rf /var/lib/apt/lists/*

From the same buckets as this rule.

Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Implement multi-stage builds for production
Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.
container-docker-hygienesecurity-hardening