LowFile-scopeDockerfile Plug & play

Choose appropriate npm commands for build stages

Use `npm ci` for reproducible installs in build stages; in runtime, run `npm prune --omit=dev` or install with `--omit=dev`.

Why this matters

Consistent dependency graphs improve reproducibility and reduce bloat in the final image.

Side-by-side examples engineers can pattern-match during review.

Avoid

RUN npm install  # mutates lockfile and installs dev deps

Prefer

RUN npm ci
# later in runtime stage
RUN npm prune --omit=dev

Bad

RUN npm install

Good

RUN npm ci && npm prune --omit=dev

From the same buckets as this rule.

Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Implement multi-stage builds for production
Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.
container-docker-hygienesecurity-hardening