← Docs

Recipe: Dockerfile writer with security notes

Generate hardened Dockerfiles from natural-language descriptions. The writer bakes in non-root users, pinned base images, and layer caching best practices by default.

Quick start

$

nimbus recipe dockerfile "Python FastAPI app with Poetry"

Security defaults

  • Non-root USER directive inserted after package install
  • Base image pinned to SHA256 digest, not floating tag
  • COPY --chown applied to application files
  • HEALTHCHECK with wget fallback included
  • Multi-stage builds when a build-tool chain is detected

Output example

FROM python:3.12-slim@sha256:abc123...
WORKDIR /app
COPY --chown=app:app . .
RUN pip install --no-cache-dir -r requirements.txt
USER app
EXPOSE 8000
HEALTHCHECK CMD wget -qO- http://localhost:8000/health
CMD ["uvicorn", "main:app", "--host", "0.0.0.0"]

Flags

--no-healthcheck

Skip HEALTHCHECK line

--root

Keep root user (not recommended)

--base <image>

Override base image selection

--output <path>

Write to file instead of stdout

← Back to docs