docker-workflowslisted

# Docker — Dockerfile and compose review For Kubernetes manifests and pod debugging, see the `kubernetes-operations` skill. For Helm charts, see `kubernetes-operators` (if shipped as an operator) or chart-specific tooling. ## When to invoke Open with the static analyzers — they're stdlib Python, fast, deterministic: ```bash SKILL=plugins/kubernetes-skills/skills/docker-workflows python3 "$SKILL/scripts/dockerfile_analyzer.py" Dockerfile python3 "$SKILL/scripts/compose_validator.py" docker-compose.yml ``` Both accept `--output json` for piping. `dockerfile_analyzer.py --security` narrows to security findings only. `compose_validator.py --strict` fails on warnings. Read the findings before suggesting changes. The analyzer surfaces ~80% of routine issues; reserve LLM judgment for the rest. ## Pre-flight: what's the image FOR? Image strategy follows the workload, not vice versa. | Workload | Base image default | Why | |---|---|---| | Compiled binary (Go, Rust) | `gcr.io/distroless/static-debian12` or `scratch` | No shell, no libc — tiny attack surface | | Compiled w/ glibc deps (CGo) | `gcr.io/distroless/base-debian12` | Has glibc + ca-certs, no shell | | Python | `python:3.X-slim` (Debian) | Alpine's musl breaks many wheels (pandas, lxml) | | Node.js | `node:X-alpine` | musl is fine for pure JS; switch to slim if native modules struggle | | Java | `eclipse-temurin:X-jre-alpine` | JRE-only, not JDK, in runtime stage | | Need a shell for prod debug | `*-slim` variant | di