Container & Docker Hygiene rules

Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.

Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.

Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.

Base images must be pinned to an exact version and content digest (@sha256) to guarantee reproducible builds and supply-chain integrity.

Write ePHI backups to storage with server-side encryption (SSE-KMS) and least-privilege access; disallow public ACLs and cross-account access without a BAA. Record the KMS key id in metadata.

Use `npm ci` for reproducible installs in build stages; in runtime, run `npm prune --omit=dev` or install with `--omit=dev`.

If a single-stage image must build native deps, remove compilers/headers after install and clear package caches in the same layer.

Deduplicate near-identical Dockerfiles by sharing a common base stage (multi-stage) and varying only service-specific steps via build args/targets.

Parameterize tool/runtime versions via ARGs (and CI build args) instead of hardcoding them across multiple Dockerfiles.

Copy and install dependencies before application sources; ensure .dockerignore excludes node_modules and build outputs.

Use a fully qualified Node.js tag including major.minor.patch, not floating majors/minors.

Ship only runtime artifacts (binaries, compiled assets, minimal configs). Exclude tests, sources, docs, and dev tooling.