Dockerfile best practices in 2026 — the patterns that actually matter

Most "Dockerfile best practices" articles in Google's top 10 were written between 2019 and 2022. They're not wrong, exactly — they're just missing the patterns that have become best practice since then.

This is the checklist we use when onboarding a customer onto managed Docker. Not what you'll find in a Docker tutorial — what you'll find in production-quality Dockerfiles in 2026.

Multi-stage with cache mounts and distroless runtime

# syntax=docker/dockerfile:1.7
FROM golang:1.22-alpine AS builder
WORKDIR /src
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod go mod download
COPY . .
RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
    CGO_ENABLED=0 go build -trimpath -ldflags='-s -w' -o /out/app ./cmd/app
 
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /out/app /app
USER nonroot:nonroot
ENTRYPOINT ["/app"]

The cache mounts alone can cut CI build times from 8 minutes to 90 seconds. The distroless runtime drops image size from ~50 MB to ~2 MB — and the attack surface to almost nothing.

The full write-up covers:

• Why BuildKit must be enabled explicitly via the syntax directive
• Layer-ordering by churn (rarely-changing on top, frequently-changing on bottom)
• Build secrets via --mount=type=secret — never ARG DB_PASSWORD
• Pinning base images to digest with Renovate-driven freshness
• Healthchecks that are cheap and readable
• .dockerignore as the highest-ROI file in the project
• The antipatterns we still see in 2026

We ship this template on every managed Docker engagement.