Docker & Containers implementation checklist

Verify the Dockerfile includes a 'USER' instruction with a specific UID/GID to prevent the container from running as root.

Replace 'latest' tags with specific version numbers or SHA256 digests to ensure build reproducibility and prevent breaking changes.

Separate the build environment from the runtime environment to ensure the production image contains only the compiled binary and necessary dependencies.

Ensure 'apt-get clean' or equivalent commands are executed within the same 'RUN' layer as package installation to minimize image size.

Run an automated scan using Trivy or Docker Scout and verify that no 'Critical' or 'High' severity CVEs exist in the final image.

Set hard memory limits (e.g., 'mem_limit' in Compose) to prevent a single container from causing host-wide Out-Of-Memory (OOM) events.

Configure CPU limits or shares to ensure the host scheduler provides enough cycles for critical system processes and other containers.

Set the restart policy to 'unless-stopped' or 'on-failure' to ensure service availability after crashes or host reboots.

Configure the 'json-file' or 'journald' log driver with 'max-size' and 'max-file' options to prevent disk exhaustion from container logs.

Adjust 'nofile' and 'nproc' ulimits in the container configuration to handle the expected number of concurrent connections or processes.

Verify that containers are attached to user-defined bridge networks rather than the default bridge to enable automatic DNS resolution and isolation.

Audit the 'EXPOSE' instruction and '-p' flags to ensure only the minimum required ports are accessible to the host or external network.

Run the container with the '--read-only' flag and use temporary volumes for directories requiring write access (e.g., /tmp).

Where isolation is required, set '--icc=false' on the Docker daemon or use network aliases to strictly control traffic between services.

Set the 'no-new-privileges' security option to prevent processes from gaining new privileges via setuid or setgid binaries.

Ensure all stateful data is stored in named Docker volumes rather than the container's writable layer to prevent data loss during container recreation.

Replace host bind mounts with named volumes or specialized drivers to reduce dependency on specific host filesystem paths.

Test the restoration process of volume data from snapshots or off-site backups to ensure business continuity.

Implement a routine 'docker volume prune' or manual audit to reclaim disk space from orphaned volumes.

Explicitly set the ':ro' (read-only) flag on volume mounts that the container should not have permission to modify.

Include a 'HEALTHCHECK' instruction that verifies the application is actually serving requests, not just that the process is running.

Verify the application responds to SIGTERM by closing database connections and finishing active requests within the stop grace period.

Confirm no secrets (API keys, passwords) are stored in environment variables visible to 'docker inspect'; use Docker Secrets or a Vault provider.

Ensure the application logs exclusively to stdout and stderr to allow the Docker daemon to capture and forward logs to a central aggregator.

Verify a .dockerignore file exists to prevent sensitive local files (.env, .git, SSH keys) from being copied into the image build context.