Apply Docker best practices

org.openrewrite.docker.DockerBestPractices

Apply a set of Docker best practices to Dockerfiles. This recipe applies security hardening, build optimization, and maintainability improvements based on CIS Docker Benchmark and industry best practices.

Tags

• docker

Recipe source

GitHub: docker.yml, Issue Tracker, Maven Central

info

This recipe is composed of more than one recipe. If you want to customize the set of recipes this is composed of, you can find and copy the GitHub source for the recipe from the link above.

This recipe is available under the Apache License Version 2.0.

Definition

Recipe List

• Apply Docker security best practices
• Optimize Docker builds
• Normalize Docker Hub image names
• Use exec form for ENTRYPOINT and CMD

Yaml Recipe List

---
type: specs.openrewrite.org/v1beta/recipe
name: org.openrewrite.docker.DockerBestPractices
displayName: Apply Docker best practices
description: |
  Apply a set of Docker best practices to Dockerfiles. This recipe applies security hardening, build optimization, and maintainability improvements based on CIS Docker Benchmark and industry best practices.
tags:
  - docker
recipeList:
  - org.openrewrite.docker.DockerSecurityBestPractices
  - org.openrewrite.docker.DockerBuildOptimization
  - org.openrewrite.docker.NormalizeDockerHubImageName
  - org.openrewrite.docker.UseExecFormEntrypoint

Examples

Example 1

DockerBestPracticesTest#appliesBestPractices

docker

Before

FROM ubuntu:20.04
ADD app.jar /app/
RUN apt-get update
RUN apt-get install -y curl
ENTRYPOINT /app/start.sh

After

~~(EOL: ubuntu:20.04 (ended 2025-05-31, suggest plucky (26.04)))~~>~~(Missing HEALTHCHECK instruction)~~>FROM ubuntu:20.04
COPY app.jar /app/
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["/app/start.sh"]
USER appuser

Diff

@@ -1,5 +1,5 @@
-FROM ubuntu:20.04
-ADD app.jar /app/
-RUN apt-get update
-RUN apt-get install -y curl
-ENTRYPOINT /app/start.sh
+~~(EOL: ubuntu:20.04 (ended 2025-05-31, suggest plucky (26.04)))~~>~~(Missing HEALTHCHECK instruction)~~>FROM ubuntu:20.04
+COPY app.jar /app/
+RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+ENTRYPOINT ["/app/start.sh"]
+USER appuser

---

Example 2

DockerBestPracticesTest#appliesBestPractices

docker

Before

FROM ubuntu:20.04
ADD app.jar /app/
RUN apt-get update
RUN apt-get install -y curl
ENTRYPOINT /app/start.sh

After

~~(EOL: ubuntu:20.04 (ended 2025-05-31, suggest plucky (26.04)))~~>~~(Missing HEALTHCHECK instruction)~~>FROM ubuntu:20.04
COPY app.jar /app/
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["/app/start.sh"]
USER appuser

Diff

@@ -1,5 +1,5 @@
-FROM ubuntu:20.04
-ADD app.jar /app/
-RUN apt-get update
-RUN apt-get install -y curl
-ENTRYPOINT /app/start.sh
+~~(EOL: ubuntu:20.04 (ended 2025-05-31, suggest plucky (26.04)))~~>~~(Missing HEALTHCHECK instruction)~~>FROM ubuntu:20.04
+COPY app.jar /app/
+RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+ENTRYPOINT ["/app/start.sh"]
+USER appuser

Usage

This recipe has no required configuration parameters and comes from a rewrite core library. It can be activated directly without adding any dependencies.

Gradle

1. Add the following to your build.gradle file:
   build.gradle

   plugins {
       id("org.openrewrite.rewrite") version("latest.release")
   }
   
   rewrite {
       activeRecipe("org.openrewrite.docker.DockerBestPractices")
       setExportDatatables(true)
   }
   
   repositories {
       mavenCentral()
   }

2. Run gradle rewriteRun to run the recipe.

Gradle init script

1. Create a file named init.gradle in the root of your project.
   init.gradle

   initscript {
       repositories {
           maven { url "https://plugins.gradle.org/m2" }
       }
       dependencies { classpath("org.openrewrite:plugin:7.33.0") }
   }
   rootProject {
       plugins.apply(org.openrewrite.gradle.RewritePlugin)
       dependencies {
           rewrite("org.openrewrite:rewrite-java")
       }
       rewrite {
           activeRecipe("org.openrewrite.docker.DockerBestPractices")
       setExportDatatables(true)
       }
       afterEvaluate {
           if (repositories.isEmpty()) {
               repositories {
                   mavenCentral()
               }
           }
       }
   }

2. Run the recipe.
   shell

   gradle --init-script init.gradle rewriteRun

Gradle init script (Kotlin)

1. Create a file named init.gradle.kts in the root of your project.
   init.gradle.kts

   initscript {
       repositories {
           maven { url = uri("https://plugins.gradle.org/m2") }
       }
       dependencies { classpath("org.openrewrite:plugin:7.33.0") }
   }
   rootProject {
       plugins.apply(org.openrewrite.gradle.RewritePlugin::class.java)
       dependencies {
           add("rewrite", "org.openrewrite:rewrite-java")
       }
       extensions.configure<org.openrewrite.gradle.RewriteExtension> {
           activeRecipe("org.openrewrite.docker.DockerBestPractices")
       setExportDatatables(true)
       }
       afterEvaluate {
           if (repositories.isEmpty()) {
               repositories {
                   mavenCentral()
               }
           }
       }
   }

2. Run the recipe.
   shell

   gradle --init-script init.gradle.kts rewriteRun

Maven POM

1. Add the following to your pom.xml file:
   pom.xml

   <project>
     <build>
       <plugins>
         <plugin>
           <groupId>org.openrewrite.maven</groupId>
           <artifactId>rewrite-maven-plugin</artifactId>
           <version>6.40.0</version>
           <configuration>
             <exportDatatables>true</exportDatatables>
             <activeRecipes>
               <recipe>org.openrewrite.docker.DockerBestPractices</recipe>
             </activeRecipes>
           </configuration>
         </plugin>
       </plugins>
     </build>
   </project>

2. Run mvn rewrite:run to run the recipe.

Maven Command Line

You will need to have Maven installed on your machine before you can run the following command.

shell

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run --define rewrite.activeRecipes=org.openrewrite.docker.DockerBestPractices --define rewrite.exportDatatables=true

Moderne CLI

You will need to have configured the Moderne CLI on your machine before you can run the following command.

shell

mod run . --recipe DockerBestPractices

If the recipe is not available locally, then you can install it using:

mod config recipes jar install org.openrewrite:rewrite-docker:8.83.1

See how this recipe works across multiple open-source repositories

Run this recipe on OSS repos at scale with the Moderne SaaS.

Run this recipe here

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.

Data Tables

EolDockerImages

End-of-life Docker images

org.openrewrite.docker.table.EolDockerImages

Records Docker base images that have reached end-of-life.

Column Name	Description
Source file	The Dockerfile containing the EOL base image.
Stage name	The build stage name (from AS clause), if specified.
Image name	The name of the base image.
Tag	The image tag.
EOL date	The date when the image reached end-of-life.
Suggested replacement	Recommended newer version to migrate to.

SourcesFileResults

Source files that had results

org.openrewrite.table.SourcesFileResults

Source files that were modified by the recipe run.

Column Name	Description
Source path before the run	The source path of the file before the run. null when a source file was created during the run.
Source path after the run	A recipe may modify the source path. This is the path after the run. null when a source file was deleted during the run.
Parent of the recipe that made changes	In a hierarchical recipe, the parent of the recipe that made a change. Empty if this is the root of a hierarchy or if the recipe is not hierarchical at all.
Recipe that made changes	The specific recipe that made a change.
Estimated time saving	An estimated effort that a developer to fix manually instead of using this recipe, in unit of seconds.
Cycle	The recipe cycle in which the change was made.

SearchResults

Source files that had search results

org.openrewrite.table.SearchResults

Search results that were found during the recipe run.

Column Name	Description
Source path of search result before the run	The source path of the file with the search result markers present.
Source path of search result after run the run	A recipe may modify the source path. This is the path after the run. null when a source file was deleted during the run.
Result	The trimmed printed tree of the LST element that the marker is attached to.
Description	The content of the description of the marker.
Recipe that added the search marker	The specific recipe that added the Search marker.

SourcesFileErrors

Source files that errored on a recipe

org.openrewrite.table.SourcesFileErrors

The details of all errors produced by a recipe run.

Column Name	Description
Source path	The file that failed to parse.
Recipe that made changes	The specific recipe that made a change.
Stack trace	The stack trace of the failure.

RecipeRunStats

Recipe performance

org.openrewrite.table.RecipeRunStats

Statistics used in analyzing the performance of recipes.

Column Name	Description
The recipe	The recipe whose stats are being measured both individually and cumulatively.
Source file count	The number of source files the recipe ran over.
Source file changed count	The number of source files which were changed in the recipe run. Includes files created, deleted, and edited.
Cumulative scanning time (ns)	The total time spent across the scanning phase of this recipe.
Max scanning time (ns)	The max time scanning any one source file.
Cumulative edit time (ns)	The total time spent across the editing phase of this recipe.
Max edit time (ns)	The max time editing any one source file.