Skip to tool content
Dockerfile Generator
Build production-ready Dockerfile with multi-stage builds, security hardening, and best-practice validation. 100% client-side — nothing leaves your browser.
Base Image
Node.js Settings
Command Override
Environment & Config
ENV Variables
Build Arguments (ARG)
Exposed Ports (EXPOSE)
Labels (LABEL)
HIGH:No HEALTHCHECK defined. Docker and orchestrators cannot monitor container health.
HIGH:COPY . . without a .dockerignore may include node_modules, .git, .env, and secrets.
LOW:No LABEL instructions. Labels help with image metadata and organization.
Dockerfile
# Generated by RawOps.dev — Dockerfile Generator
# Mode: nodejs
# ═══ Build stage ═══
FROM node:22-alpine AS builder
WORKDIR /app
# Copy dependency files
COPY package.json package-lock.json* ./
# Install dependencies
RUN npm ci --ignore-scripts
# Copy source and build
COPY . .
RUN npm run build
# ═══ Runtime stage ═══
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
# Create non-root user
RUN addgroup --gid 1001 appuser && \
adduser --uid 1001 --ingroup appuser --disabled-password --gecos "" appuser
# Copy built application
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
# Install production dependencies only
RUN npm ci --omit=dev --ignore-scripts && npm cache clean --force
USER appuser
EXPOSE 3000
CMD ["node", "dist/index.js"]Send to:
Quick Recipes
Click a recipe to populate the form with a production-ready Dockerfile configuration.
Dockerfile Best Practices Guide
A Dockerfile is a text file that contains instructions for building a Docker container image. Each instruction creates a layer in the image, and understanding how layers work is key to building efficient, secure containers.
Multi-Stage Builds
Multi-stage builds use multiple FROM statements to separate the build environment from the runtime environment. The builder stage contains compilers, build tools, and dev dependencies. The runtime stage only contains the compiled application and production dependencies. This reduces image size by 10-100x and eliminates build tools from the attack surface.
# Build stage — has Node.js, npm, devDependencies FROM node:22-alpine AS builder WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci COPY . . RUN npm run build # Runtime stage — only production files FROM node:22-alpine AS runner WORKDIR /app ENV NODE_ENV=production COPY --from=builder /app/dist ./dist COPY --from=builder /app/package.json ./ RUN npm ci --omit=dev USER 1001 CMD ["node", "dist/index.js"]
Base Image Comparison
| Image | Size | Shell | Use Case |
|---|---|---|---|
| scratch | 0 MB | No | Static Go/Rust binaries |
| distroless | ~2 MB | No | Go, Java, Python (minimal runtime) |
| alpine | ~5 MB | Yes | Most languages (small + debuggable) |
| slim (Debian) | ~80 MB | Yes | Python, Node.js (glibc-compatible) |
| full (Ubuntu) | ~130 MB | Yes | Dev containers, complex native deps |
Dockerfile Instruction Reference
| Instruction | Purpose | Layer? |
|---|---|---|
| FROM | Set base image for build stage | Yes |
| WORKDIR | Set working directory | Yes |
| COPY | Copy files from host or build stage | Yes |
| RUN | Execute command and commit result | Yes |
| ENV | Set environment variable | Yes |
| ARG | Build-time variable | No |
| EXPOSE | Document container port | No |
| USER | Set user for subsequent commands | No |
| HEALTHCHECK | Container health monitoring | No |
| ENTRYPOINT | Container entrypoint (not overridden) | No |
| CMD | Default command (overridden at runtime) | No |
Security Best Practices
- Run as non-root — always add a
USERinstruction. Root in a container is root on the host if the container escapes. - Pin image versions — use
node:22-alpinenotnode:latest. Reproducible builds prevent supply chain surprises. - Use .dockerignore — exclude
.git,.env,node_modulesfrom the build context. Prevents secrets from leaking into images — run our Secrets Scanner to catch credentials before they end up in an image. - Separate build and runtime — multi-stage builds keep compilers, SDKs, and dev dependencies out of the final image.
- Scan images — use
docker scout cvesor Trivy to find known vulnerabilities before deploying. - Lint your Dockerfile — use our Dockerfile Linter to catch security issues, anti-patterns, and get an auto-fixed version.
Optimization Tips
- Leverage layer caching — copy dependency files (package.json, requirements.txt) before source code. Dependencies change less often than source.
- Combine RUN commands — each RUN creates a layer. Combine with
&&and clean up in the same layer. - Use .dockerignore — reduces build context size and speeds up
docker build. - Choose minimal base images — Alpine (~5MB) over Ubuntu (~130MB) for most use cases.
Privacy First
All Dockerfile generation happens entirely in your browser using JavaScript. Your image names, environment variables, build commands, and infrastructure details are never sent to any server. This tool has zero backend dependencies.
Related Tools & Resources
Docker CLI Builder
Build Docker CLI commands for your containers
Docker Run ↔ Compose
Convert docker run to Compose for your image
CI/CD Pipeline Generator
Add Docker build to your CI/CD pipeline
Secrets Scanner
Scan Dockerfiles for leaked secrets
.gitignore Generator
Generate .dockerignore alongside .gitignore
Dockerfile Linter
Lint your generated Dockerfile for security issues
Runbook: Debug container crash loops
Step-by-step troubleshooting guide
Runbook: Fix Docker disk space issues
Step-by-step troubleshooting guide
Complete Docker guide for DevOps
Blog article
Harden your Dockerfiles
Blog article
Production Compose with your Dockerfiles
Blog article