LowFile-scopeDockerfile Plug & play

Remove unnecessary files from production images

Ship only runtime artifacts (binaries, compiled assets, minimal configs). Exclude tests, sources, docs, and dev tooling.

Why this matters

Smaller images pull faster, have fewer vulnerabilities, and reduce secrets exposure.

Side-by-side examples engineers can pattern-match during review.

Avoid

COPY . /app  # includes tests, .ts, docs, configs

Prefer

COPY --from=build /app/dist /app
RUN npm prune --omit=dev
# Include only what the process needs (configs, static assets)

Bad

COPY . /srv

Good

COPY --from=build /out /srv && prune dev deps

From the same buckets as this rule.

Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Implement multi-stage builds for production
Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.
container-docker-hygienesecurity-hardening