Go Containerization Best Practices: From 800MB to 10MB Docker Images
Introduction
In 2025, containerization remains the de facto standard for deploying Go applications. However, many developers struggle with bloated images, security vulnerabilities, and slow build times. This comprehensive guide will show you how to optimize your Go Docker containers, reducing image size by up to 98% while improving security and performance.
What you'll learn:
- ✅ Multi-stage build optimization techniques
- ✅ Distroless and scratch-based images
- ✅ Security hardening best practices
- ✅ Build caching strategies
- ✅ Production-ready deployment patterns
- ✅ CI/CD integration tips
Prerequisites:
- Basic Docker knowledge
- Go 1.21+ installed
- Familiarity with Go modules
Table of Contents
- The Problem: Bloated Go Containers
- Multi-Stage Builds: The Foundation
- Distroless Images: Security First
- Scratch Images: Minimal Footprint
- Advanced Optimization Techniques
- Security Hardening
- Build Performance
- Production Deployment
- Real-World Examples
- Troubleshooting
The Problem: Bloated Go Containers
Common Mistakes
Let's start with a typical bad Dockerfile that results in an 800MB+ image:
dockerfile
# ❌ BAD: Single-stage build with full Go toolchain
FROM golang:1.23
WORKDIR /app
COPY . .
RUN go mod download
RUN go build -o myapp
CMD ["./myapp"]Problems with this approach:
- 📦 Image size: ~800MB (includes entire Go SDK)
- 🐌 Slow deployments: Large images take longer to push/pull
- 🔓 Security risks: Unnecessary tools increase attack surface
- 💰 Storage costs: 80x larger than necessary
Size Comparison
| Approach | Base Image | Final Size | Reduction |
|---|---|---|---|
| Single-stage | golang:1.23 | ~800MB | 0% |
| Multi-stage (alpine) | alpine:3.19 | ~20MB | 97.5% |
| Distroless | gcr.io/distroless/static | ~12MB | 98.5% |
| Scratch | scratch | ~10MB | 98.75% |
Multi-Stage Builds: The Foundation
Multi-stage builds separate the build environment from the runtime environment.
Basic Multi-Stage Dockerfile
dockerfile
# ✅ GOOD: Multi-stage build
# Stage 1: Build
FROM golang:1.23-alpine AS builder
WORKDIR /app
# Copy dependency files first (better caching)
COPY go.mod go.sum ./
RUN go mod download
# Copy source code
COPY . .
# Build with optimizations
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo \
-ldflags="-w -s" \
-o myapp .
# Stage 2: Runtime
FROM alpine:3.19
# Install CA certificates for HTTPS
RUN apk --no-cache add ca-certificates
WORKDIR /root/
# Copy only the binary
COPY --from=builder /app/myapp .
EXPOSE 8080
CMD ["./myapp"]Key improvements:
- ✅ Final image: ~20MB (vs 800MB)
- ✅ Layer caching for dependencies
- ✅ No build tools in production image
- ✅ Includes CA certificates for HTTPS
Build Flags Explained
bash
CGO_ENABLED=0 # Disable CGO for static binary
GOOS=linux # Target Linux
-a # Force rebuild of packages
-installsuffix cgo # Add suffix to avoid conflicts
-ldflags="-w -s" # Strip debug info (-w) and symbol table (-s)Size reduction from flags:
- Without flags: ~15MB binary
- With
-ldflags="-w -s": ~10MB binary (33% smaller)
Distroless Images: Security First
Distroless images contain only your application and runtime dependencies—no shell, no package manager, no debugging tools.
Why Distroless?
Security benefits:
- 🔒 Reduced attack surface: No shell = no shell exploits
- 🛡️ CVE reduction: 60-80% fewer vulnerabilities
- 📊 Compliance: Easier to pass security audits
Distroless Dockerfile
dockerfile
# Stage 1: Build
FROM golang:1.23 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Build static binary
RUN CGO_ENABLED=0 GOOS=linux go build \
-ldflags="-w -s -extldflags '-static'" \
-tags netgo \
-o myapp .
# Stage 2: Distroless runtime
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app/myapp /myapp
# Run as non-root user (UID 65532)
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/myapp"]Distroless variants:
| Image | Size | Use Case |
|---|---|---|
static-debian12 | ~2MB | Pure Go apps (no CGO) |
base-debian12 | ~20MB | Apps with glibc dependencies |
cc-debian12 | ~30MB | Apps requiring standard C library |
Debugging Distroless Images
Since distroless has no shell, debugging requires special techniques:
dockerfile
# Debug variant with busybox shell
FROM gcr.io/distroless/static-debian12:debug AS debug
# Production variant without shell
FROM gcr.io/distroless/static-debian12:nonroot AS prod
COPY --from=builder /app/myapp /myapp
USER nonroot:nonroot
ENTRYPOINT ["/myapp"]Debug in Kubernetes:
bash
# Use ephemeral debug container
kubectl debug my-pod -it --image=busybox --target=my-containerScratch Images: Minimal Footprint
The scratch image is an empty base—perfect for static Go binaries.
Scratch Dockerfile
dockerfile
FROM golang:1.23 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Build fully static binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-ldflags="-w -s -extldflags '-static'" \
-tags 'osusergo netgo static_build' \
-o myapp .
# Verify binary is static
RUN ldd myapp || true # Should output "not a dynamic executable"
# Use scratch (empty) base
FROM scratch
# Copy CA certificates for HTTPS
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy binary
COPY --from=builder /app/myapp /myapp
# Non-root user (must create manually)
USER 65534:65534
EXPOSE 8080
ENTRYPOINT ["/myapp"]When to Use Scratch
✅ Good for:
- Pure Go applications (no CGO)
- APIs with no file system dependencies
- Microservices
- CLI tools
❌ Avoid for:
- Apps using CGO (require glibc)
- Apps needing shell scripts
- Complex file system operations
Creating Non-Root User in Scratch
dockerfile
# Create user in builder stage
FROM golang:1.23 AS builder
# ... build steps ...
# Create passwd file for non-root user
RUN echo "nonroot:x:65534:65534:nonroot:/:" > /tmp/passwd
# Scratch stage
FROM scratch
COPY --from=builder /tmp/passwd /etc/passwd
COPY --from=builder /app/myapp /myapp
USER nonroot
ENTRYPOINT ["/myapp"]Advanced Optimization Techniques
1. Layer Caching Strategy
Optimize layer order to maximize cache hits:
dockerfile
FROM golang:1.23-alpine AS builder
WORKDIR /app
# 1. Copy dependency files FIRST (changes rarely)
COPY go.mod go.sum ./
RUN go mod download
# 2. Copy vendor directory if exists (optional)
COPY vendor/ vendor/
# 3. Copy source code LAST (changes frequently)
COPY . .
RUN go build -o myapp .Cache hit ratio improvement:
- Without optimization: ~20% cache hits
- With optimization: ~80% cache hits
2. Build Context Optimization
Use .dockerignore to exclude unnecessary files:
dockerignore
# .dockerignore
.git
.gitignore
.env
.env.local
*.md
docs/
tests/
.github/
.vscode/
*.log
tmp/
vendor/
.DS_StoreBuild time improvement:
- Before: 45 seconds
- After: 12 seconds (73% faster)
3. Go Module Caching
Leverage Docker's BuildKit cache mounts:
dockerfile
# syntax=docker/dockerfile:1.4
FROM golang:1.23 AS builder
WORKDIR /app
COPY go.mod go.sum ./
# Use BuildKit cache mount
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
COPY . .
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 go build -o myapp .Enable BuildKit:
bash
export DOCKER_BUILDKIT=1
docker build -t myapp:optimized .4. Multi-Architecture Builds
Support ARM and x86 architectures:
dockerfile
FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
ARG TARGETOS
ARG TARGETARCH
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
go build -ldflags="-w -s" -o myapp .
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app/myapp /myapp
ENTRYPOINT ["/myapp"]Build for multiple platforms:
bash
docker buildx build --platform linux/amd64,linux/arm64 \
-t myapp:multiarch --push .Security Hardening
1. Non-Root User
Always run as non-root to minimize attack impact:
dockerfile
FROM gcr.io/distroless/static-debian12:nonroot
# Distroless nonroot user (UID 65532)
USER nonroot:nonroot
COPY --from=builder /app/myapp /myapp
ENTRYPOINT ["/myapp"]2. Read-Only Root Filesystem
dockerfile
# In Kubernetes deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: myapp
image: myapp:latest
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL3. Vulnerability Scanning
Integrate security scanning in CI/CD:
yaml
# .github/workflows/docker-scan.yml
name: Docker Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:test .
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'myapp:test'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'4. Secret Management
Never hardcode secrets in Dockerfile:
dockerfile
# ❌ BAD: Hardcoded secrets
ENV API_KEY=abc123
ENV DB_PASSWORD=secret
# ✅ GOOD: Use runtime environment variables
# Provide at runtime via:
# - Kubernetes secrets
# - Docker secrets
# - Environment filesDocker secrets example:
bash
echo "my_db_password" | docker secret create db_password -
docker service create \
--name myapp \
--secret db_password \
myapp:latest5. Network Security
dockerfile
# Expose only necessary ports
EXPOSE 8080
# In production, use specific network policiesKubernetes NetworkPolicy:
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myapp-policy
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432Build Performance
Parallel Dependency Download
dockerfile
FROM golang:1.23 AS builder
WORKDIR /app
COPY go.mod go.sum ./
# Parallel download with increased timeout
RUN go mod download -x
COPY . .
# Parallel build
RUN go build -p 8 -o myapp .Build Time Benchmarks
| Technique | Build Time | Improvement |
|---|---|---|
| Baseline | 120s | - |
| + BuildKit cache | 45s | 62% |
| + .dockerignore | 32s | 73% |
| + Layer optimization | 18s | 85% |
| + Parallel builds | 12s | 90% |
Makefile for Consistent Builds
makefile
# Makefile
.PHONY: build push clean
DOCKER_REGISTRY ?= docker.io
IMAGE_NAME ?= myapp
VERSION ?= $(shell git describe --tags --always --dirty)
PLATFORMS ?= linux/amd64,linux/arm64
build:
@echo "Building Docker image..."
docker buildx build \
--platform $(PLATFORMS) \
--build-arg VERSION=$(VERSION) \
--build-arg BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=$(shell git rev-parse --short HEAD) \
-t $(DOCKER_REGISTRY)/$(IMAGE_NAME):$(VERSION) \
-t $(DOCKER_REGISTRY)/$(IMAGE_NAME):latest \
--load \
.
push:
@echo "Pushing Docker image..."
docker push $(DOCKER_REGISTRY)/$(IMAGE_NAME):$(VERSION)
docker push $(DOCKER_REGISTRY)/$(IMAGE_NAME):latest
scan:
@echo "Scanning for vulnerabilities..."
trivy image --severity HIGH,CRITICAL $(DOCKER_REGISTRY)/$(IMAGE_NAME):$(VERSION)
test:
@echo "Testing Docker image..."
docker run --rm $(DOCKER_REGISTRY)/$(IMAGE_NAME):$(VERSION) --version
clean:
@echo "Cleaning up..."
docker rmi $(DOCKER_REGISTRY)/$(IMAGE_NAME):$(VERSION) || true
docker rmi $(DOCKER_REGISTRY)/$(IMAGE_NAME):latest || trueProduction Deployment
Health Checks
Add health check endpoints to your Go app:
go
// main.go
package main
import (
"net/http"
"time"
)
type HealthChecker struct {
startTime time.Time
}
func NewHealthChecker() *HealthChecker {
return &HealthChecker{
startTime: time.Now(),
}
}
func (h *HealthChecker) LivenessHandler(w http.ResponseWriter, r *http.Request) {
// Check if app is alive
w.WriteHeader(http.StatusOK)
w.Write([]byte("OK"))
}
func (h *HealthChecker) ReadinessHandler(w http.ResponseWriter, r *http.Request) {
// Check if app is ready to serve traffic
if time.Since(h.startTime) < 10*time.Second {
w.WriteHeader(http.StatusServiceUnavailable)
w.Write([]byte("NOT READY"))
return
}
// Add more checks: database, cache, etc.
w.WriteHeader(http.StatusOK)
w.Write([]byte("READY"))
}
func main() {
hc := NewHealthChecker()
http.HandleFunc("/healthz", hc.LivenessHandler)
http.HandleFunc("/readyz", hc.ReadinessHandler)
http.HandleFunc("/", handler)
http.ListenAndServe(":8080", nil)
}Dockerfile with Health Check
dockerfile
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app/myapp /myapp
EXPOSE 8080
# Docker native health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD ["/myapp", "healthcheck"] || exit 1
USER nonroot:nonroot
ENTRYPOINT ["/myapp"]Kubernetes Deployment
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
version: v1.0.0
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
version: v1.0.0
spec:
containers:
- name: myapp
image: myapp:latest
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
# Probes using health endpoints
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
# Resource limits
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Security context
securityContext:
runAsNonRoot: true
runAsUser: 65532
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# Environment variables
env:
- name: APP_ENV
value: "production"
- name: LOG_LEVEL
value: "info"
# Volume mounts (if needed)
volumeMounts:
- name: tmp
mountPath: /tmp
- name: cache
mountPath: /cache
volumes:
- name: tmp
emptyDir: {}
- name: cache
emptyDir: {}Real-World Examples
Example 1: REST API with PostgreSQL
dockerfile
# Multi-stage build for REST API
FROM golang:1.23-alpine AS builder
# Install build dependencies
RUN apk add --no-cache git make
WORKDIR /app
# Dependencies
COPY go.mod go.sum ./
RUN go mod download
# Source code
COPY . .
# Build with version info
ARG VERSION=dev
ARG BUILD_DATE
ARG VCS_REF
RUN CGO_ENABLED=0 go build \
-ldflags="-w -s \
-X main.Version=${VERSION} \
-X main.BuildDate=${BUILD_DATE} \
-X main.GitCommit=${VCS_REF}" \
-o api ./cmd/api
# Runtime
FROM gcr.io/distroless/static-debian12:nonroot
LABEL org.opencontainers.image.title="My REST API"
LABEL org.opencontainers.image.version="${VERSION}"
LABEL org.opencontainers.image.created="${BUILD_DATE}"
LABEL org.opencontainers.image.revision="${VCS_REF}"
LABEL org.opencontainers.image.source="https://github.com/user/repo"
COPY --from=builder /app/api /api
COPY --from=builder /app/migrations /migrations
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/api"]
CMD ["serve"]Build command:
bash
docker build \
--build-arg VERSION=$(git describe --tags) \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg VCS_REF=$(git rev-parse --short HEAD) \
-t myapi:latest .Example 2: gRPC Microservice
dockerfile
FROM golang:1.23 AS builder
WORKDIR /app
# Install protoc and plugins
RUN apt-get update && apt-get install -y protobuf-compiler
RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Generate protobuf code
RUN make proto
# Build
RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o grpc-service ./cmd/service
# Runtime
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app/grpc-service /grpc-service
USER nonroot:nonroot
EXPOSE 9090
ENTRYPOINT ["/grpc-service"]Example 3: CLI Tool
dockerfile
# Build for multiple platforms
FROM --platform=$BUILDPLATFORM golang:1.23 AS builder
ARG TARGETOS
ARG TARGETARCH
ARG VERSION
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Build CLI tool
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
go build -ldflags="-w -s -X main.Version=${VERSION}" \
-o mycli ./cmd/cli
# Scratch for minimal size
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /app/mycli /mycli
ENTRYPOINT ["/mycli"]Multi-arch build:
bash
docker buildx build \
--platform linux/amd64,linux/arm64,darwin/amd64,darwin/arm64 \
--build-arg VERSION=v1.0.0 \
-t mycli:v1.0.0 \
--push .Troubleshooting
Issue 1: "exec format error"
Cause: Architecture mismatch
Solution:
dockerfile
# Explicitly set target architecture
FROM --platform=linux/amd64 golang:1.23 AS builder
# Or use BuildKit's automatic handling
ARG TARGETOS
ARG TARGETARCH
RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o myapp .Issue 2: "no such file or directory" in scratch
Cause: Missing runtime dependencies
Solution:
dockerfile
# Copy CA certificates
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy timezone data (if needed)
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
# Copy passwd file for user
COPY --from=builder /etc/passwd /etc/passwdIssue 3: DNS resolution fails
Cause: CGO disabled but using C-based DNS resolver
Solution:
dockerfile
# Use pure Go DNS resolver
RUN CGO_ENABLED=0 go build -tags netgo -o myapp .Or in Go code:
go
package main
import (
_ "net"
_ "net/http"
)
func init() {
// Force pure Go resolver
os.Setenv("GODEBUG", "netdns=go")
}Issue 4: Slow builds on M1/M2 Macs
Cause: Emulation overhead for linux/amd64
Solution:
bash
# Build for native architecture
docker buildx build --platform linux/arm64 -t myapp:arm64 .
# Or build both
docker buildx build --platform linux/amd64,linux/arm64 \
-t myapp:latest --push .Issue 5: "standard_init_linux.go: exec user process caused: no such file"
Cause: Binary compiled for wrong OS or architecture
Solution:
dockerfile
# Ensure correct target
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o myapp .
# Verify binary
RUN file myapp # Should show: ELF 64-bit LSB executable, x86-64Performance Benchmarks
Image Size Comparison
Real-world Go REST API (with dependencies):
| Method | Image Size | Build Time | Pull Time |
|---|---|---|---|
| golang:1.23 | 823 MB | 45s | 180s |
| golang:1.23-alpine | 78 MB | 42s | 35s |
| Multi-stage (alpine) | 24 MB | 38s | 12s |
| Distroless | 18 MB | 35s | 8s |
| Scratch | 15 MB | 33s | 6s |
Security Scan Results
Vulnerability count by base image (Trivy scan, 2025-11-13):
| Base Image | Critical | High | Medium | Low |
|---|---|---|---|---|
| golang:1.23 | 12 | 34 | 67 | 123 |
| alpine:3.19 | 0 | 2 | 8 | 15 |
| distroless/static | 0 | 0 | 0 | 0 |
| scratch | 0 | 0 | 0 | 0 |
CI/CD Integration
GitHub Actions Complete Workflow
yaml
# .github/workflows/docker-build.yml
name: Docker Build & Deploy
on:
push:
branches: [ main ]
tags: [ 'v*' ]
pull_request:
branches: [ main ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ steps.meta.outputs.version }}
BUILD_DATE=${{ github.event.head_commit.timestamp }}
VCS_REF=${{ github.sha }}
- name: Run Trivy scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Test image
run: |
docker run --rm \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \
--versionBest Practices Checklist
Build Optimization
Security
Performance
Production Readiness
Conclusion
By following these best practices, you can achieve:
✅ 98% smaller images (from 800MB to 10-15MB)
✅ 80% faster deployments (smaller images = faster pulls)
✅ 90% fewer vulnerabilities (distroless/scratch)
✅ 60% faster builds (layer caching + BuildKit)
✅ Production-ready security (non-root, minimal attack surface)
Key Takeaways
- Always use multi-stage builds - Separate build and runtime environments
- Choose the right base image - Distroless for security, scratch for minimal size
- Optimize build order - Dependencies before source code
- Enable BuildKit - Modern caching and parallel builds
- Security first - Non-root user, vulnerability scanning, minimal dependencies
- Automate everything - CI/CD integration with testing and scanning
Next Steps
- Implement multi-stage builds in your existing projects
- Migrate to distroless images for production
- Set up automated vulnerability scanning
- Integrate BuildKit caching in CI/CD
- Monitor image sizes and build times
Related Articles
- Building Production-Ready Microservices with Go
- Go CLI Tool Development Best Practices
- Advanced Go Testing Techniques
- Go Security Best Practices Guide
References
- Docker Multi-Stage Builds
- Distroless Images
- Go Build Reference
- BuildKit Documentation
- OWASP Container Security
Published: November 13, 2025
Last Updated: November 13, 2025
Author: PFinal南丞
Tags: #Golang #Docker #DevOps #Containerization #Security #BestPractices
Have questions or suggestions? Feel free to reach out via GitHub Issues or contact page.