Docs/Tools/Dockerize
Container

dockerize.py

Detects the application language from project files, selects the correct Dockerfile template, substitutes template variables, then builds and validates the image automatically. Produces a multi-stage, distroless final image optimised for size and security.

What it does

The tool walks the target directory looking for well-known language indicator files. Once a match is found it copies the corresponding Dockerfile template, substitutes the template variables for the actual service name and entry point, and writes the result to the project root.

If Docker is available on the host, it immediately runs a build to verify the Dockerfile is valid. Hadolint and Trivy scans follow if those tools are installed.

Language Detection
File FoundLanguageTemplate
package.jsonNode.jstemplates/dockerfiles/node/Dockerfile
requirements.txt / pyproject.tomlPythontemplates/dockerfiles/python/Dockerfile
go.modGotemplates/dockerfiles/go/Dockerfile
pom.xml / build.gradleJavatemplates/dockerfiles/java/Dockerfile
Cargo.tomlRustInline multi-stage (generated)
CLI Usage
bash
python3 tools/dockerize.py --path ./my-app --service my-service

# With force overwrite of existing Dockerfile:
python3 tools/dockerize.py --path ./my-app --service my-service --force
Template Variables

The following placeholders are substituted in the selected template before writing the final Dockerfile:

{{PORT}}Exposed container port (default: 8000)
{{MAIN_FILE}}Python entry-point module (Python only)
{{BINARY_NAME}}Compiled binary name written by go build (Go only)
Output

Writes a single file: <path>/Dockerfile

All templates use multi-stage builds. The final stage is based on a Google Distroless image — no shell, no package manager, minimal attack surface.

Validation Steps (Automatic)
  • hadolint — lint check for Dockerfile best practices
  • docker build — full build test (skipped if Docker not available)
  • Trivy — HIGH/CRITICAL CVE scan on the built image (skipped if Trivy not installed)
Important

dockerize.py will never overwrite an existing Dockerfile without the --force flag. When --force is passed, a unified diff is printed and confirmation is required before writing.

Next step: Secrets Manager →