Back to Initiative Library
Config & Standards Low complexity

Standardize Dockerfile Base Images

Docker Containers Standards Security Infrastructure
Run this Initiative Get Demo
✦ Sample Prompt 
Standardize Docker base images across all repositories.

Update all Dockerfiles to use our approved base images:
- Any node:* image → node:22-alpine
- Any python:* image → python:3.12-slim
- Any golang:* image → golang:1.23-alpine
- Any mcr.microsoft.com/dotnet/aspnet:* → mcr.microsoft.com/dotnet/aspnet:10.0
- Any mcr.microsoft.com/dotnet/sdk:* → mcr.microsoft.com/dotnet/sdk:10.0
- Any openjdk:* or eclipse-temurin:* → eclipse-temurin:21-jre-alpine (for runtime)

Preserve all other Dockerfile instructions (COPY, RUN, ENV, etc.) unchanged.
If a Dockerfile uses a multi-stage build, update both the build and runtime base images.

The Problem

When teams choose their own Docker base images, you end up with a sprawl of different images, tags, and registries. One service uses `node:18`, another uses `node:18.17-alpine`, a third uses `node:18-slim`. Some pull from Docker Hub, others from ECR or GCR. This inconsistency creates security blind spots (which images have been scanned?), unpredictable build times (different image sizes), and makes it impossible to respond quickly when a base image CVE is announced.

Standardizing base images is a one-time cleanup that needs to happen across every repository simultaneously to be effective.

What Tidra Does

  1. Finds all Dockerfiles in each repository (including Dockerfile.dev, Dockerfile.prod, etc.)
  2. Identifies the base images used in FROM statements, including multi-stage builds
  3. Replaces base images with the approved equivalents while preserving the AS alias names and other FROM arguments
  4. Creates a PR listing every base image change for review

Before & After

diff
Dockerfile
@@ -1,7 +1,7 @@
- FROM node:18.17 AS builder
+ FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
- FROM node:18.17-slim
+ FROM node:22-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist

Customization Tips

  • Internal registry: If your org mirrors images to an internal registry (e.g., your-registry.com/node:22-alpine), update the target images in the prompt to use your registry URL.
  • Distroless: For maximum security, consider using Google's distroless images for runtime stages: gcr.io/distroless/nodejs22-debian12.
  • ARM builds: If some services target ARM, add architecture-specific image variants to the approved list.

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo