---
description: "Docker and Docker Compose conventions: multi-stage builds, security, image pinning, health checks"
globs: ["**/Dockerfile*", "**/docker-compose*", "**/.dockerignore"]
---
# Docker

- Use multi-stage builds to minimize image size
- Pin base image versions (never use `:latest` in production)
- Use `.dockerignore` to exclude build artifacts, `.git`, `node_modules`, etc.
- Run as non-root user in production containers
- Use `COPY` over `ADD`; order layers from least to most frequently changed
- Use health checks in docker-compose and Dockerfiles
- Use named volumes for persistent data; never store state in container filesystem
- Centralize environment configuration; use `.env` files only for local dev
- Keep services focused: one process per container