Do not include development-only tools and packages in the final production container image.
You only keep what is needed to run the app — not what is needed to build or test it.
This reduces image size, vulnerabilities, and startup time, which is very important in AWS environments.
“Removing dev dependencies ensures the production Docker image only contains runtime components, resulting in smaller image size, faster AWS deployments, reduced vulnerabilities, and lower CI/CD and ECR costs.”
How to Achieve: Multi stage docker build
Create docker file in such a way that makes multi stage build (build then run)
These are packages/tools used during:
- Local development
- Unit testing
- Debugging
- Building/compiling
- Linting/formatting
But not needed at runtime.
Examples:
| Technology | Dev Dependencies |
|---|---|
| .NET | SDK, test frameworks, analyzers |
| Node.js | eslint, nodemon, jest |
| Python | pytest, black |
| Java | maven, gradle |
Dev tools are heavy.
Example:
- With SDK + test tools → 1.2 GB
- Runtime only → 200 MB
Smaller image = faster pull from ECR.
Impacts:
- ECS task start
- EKS pod start
- Lambda container cold start
Dev packages increase CVEs.
Removing them:
- Reduces attack surface
- Better ECR / Trivy scan results
- Less ECR storage
- Less data transfer
- Faster CI/CD = lower CodeBuild minutes
Wrong (Includes SDK)
# Build StageFROM mcr.microsoft.com/dotnet/sdk:8.0 AS buildWORKDIR /srcCOPY . .RUN dotnet publish -c Release -o /out
# Runtime StageFROM mcr.microsoft.com/dotnet/aspnet:8.0WORKDIR /appCOPY --from=build /out .ENTRYPOINT ["dotnet", "MyApp.dll"]
Now:
- SDK removed
- Only runtime DLLs remain
RUN npm install --production
or
RUN npm ci --omit=dev
Without removing dev deps:
- Image size: 600 MB
- ECS startup: 25 sec
- Vulnerabilities: 120
With removal:
- Image size: 150 MB
- ECS startup: 6–8 sec
- Vulnerabilities: 30
It’s like shipping a car:
- Dev deps = factory tools, welding machines
- Runtime deps = engine, wheels, fuel
Customer only needs the car, not the factory.
No comments:
Post a Comment