Docker and container infrastructure skill: Dockerfiles, multi-stage builds, Compose, networking, volumes, health checks, registries, BuildKit, security hardening, CI/CD integration, debugging, and orchestration patterns. Use when the task touches container configuration, images, or deployment infrastructure.
Non-negotiable rules:
references/stack.md first to determine the project's base images, registry, and build conventions.USER directive.ARG/ENV for passwords, no COPY .env, no secrets in build layers.node:22-slim, not node:latest. Use digest pinning for critical images..dockerignore is mandatory — exclude node_modules, .git, .env, dist, test artifacts.--frozen-lockfile / --ci for reproducible installs.
</EXTREMELY-IMPORTANT>
$request: The Docker task — Dockerfile, Compose, registry, optimization, or debugging targetRoute Docker work through proven container patterns so images are small, secure, reproducible, and follow the project's infrastructure conventions.
Always start with:
references/stack.mdThat establishes: base images, registry, build tool (Docker/BuildKit/Podman), CI integration, and locked conventions.
Success criteria: The project's container infrastructure choices are explicit before writing any Dockerfile or Compose config.
Use the routing table to pick reference files. Do not bulk-load the full reference tree.
| Task | Read |
|---|---|
| Base images, registry, build conventions, CI | references/stack.md |
| Writing or editing a Dockerfile | references/dockerfile.md |
| Multi-stage builds, layer optimization, caching | references/multi-stage.md |
| docker-compose services, networking, volumes | references/compose.md |
| .dockerignore, build context optimization | references/build-context.md |
| Health checks, readiness, startup probes | references/health-checks.md |
| Security: non-root, read-only FS, capabilities, scanning | references/security.md |
| Image size optimization, distroless, slim, alpine | references/image-optimization.md |
| Registry: push, pull, tagging, ECR/GCR/GHCR/DockerHub | references/registry.md |
| BuildKit features, cache mounts, secret mounts | references/buildkit.md |
| CI/CD: GitHub Actions, GitLab CI, build+push pipelines | references/ci-cd.md |
| Debugging: logs, exec, inspect, networking issues | references/debugging.md |
| Language-specific: Node.js, Python, Go, Rust, Java | references/language-patterns.md |
| Volumes, bind mounts, tmpfs, named volumes | references/volumes.md |
| Networking: bridge, host, overlay, DNS, port mapping | references/networking.md |
Multiple tasks? Read multiple files. The references are self-contained.
Success criteria: Only the task-relevant Docker conventions are in play.
Keep these rules active:
.dockerignore excludes everything unnecessary from build context:latest in productionUSER in the final stageCOPY only what's needed in each stage — not the entire repoARG, ENV, or COPY — use BuildKit --mount=type=secretRUN commands to minimize layers — but keep readabilitySuccess criteria: The container is small, secure, reproducible, and follows the project's conventions.
Use the narrowest relevant verification:
docker build succeeds.dockerignore excludes the right files (docker build --dry-run or check context size)docker history or docker inspectSuccess criteria: The image builds, runs, and passes basic health validation.
SKILL.md.references/stack.md.latest tags for base images in production Dockerfiles.COPY . . without a proper .dockerignore.disable-model-invocation; this is a normal domain skill.references/stack.md
Always.
then only the task-relevant files under references/
Report: