dockerfile 17 lines · 1 tab

Dockerfile hardening for smaller safer containers

Kai Nakamura Apr 2026
1 tab
FROM ruby:3.3.1-slim AS base

RUN apt-get update \
  && apt-get install -y --no-install-recommends build-essential libpq-dev \
  && rm -rf /var/lib/apt/lists/*

WORKDIR /app
RUN groupadd --system app && useradd --system --gid app --create-home app

COPY Gemfile Gemfile.lock ./
RUN bundle config set deployment 'true' && bundle install --without development test

COPY . .
RUN chown -R app:app /app

USER app
CMD ["bundle", "exec", "puma", "-C", "config/puma.rb"]
1 file · dockerfile Explain with highlit

Container security starts with the image build. I use small trusted bases, non-root users, explicit file ownership, and multi-stage builds that leave tooling behind. The fewer packages and privileges in the final image, the less there is to exploit.

Share this code

Here's the card — post it anywhere.

Dockerfile hardening for smaller safer containers — share card
Link copied