14.1.1 Production Image Readiness

Production image readiness assesses whether a built container image itself — independent of how it's deployed or orchestrated — meets the specific qualities expected of something actually intended for production use: minimal size, no development-only tooling, no embedded secrets, and a properly defined, deterministic startup behavior.

Confirming the Image Excludes Development-Only Content

A production-ready image shouldn't carry development dependencies, debugging tools, or source maps unless specifically required at runtime.

FROM node:20-alpine AS build
RUN npm ci
RUN npm run build

FROM node:20-alpine
RUN npm ci --omit=dev
COPY --from=build /app/dist ./dist

This final stage excludes development dependencies entirely, a key marker of genuine production readiness.

Verifying No Secrets Are Embedded in the Image

Inspecting the image's layers and history confirms no credential or secret was inadvertently baked into the image during the build.

docker history myapp:1.0 --no-trunc

docker save myapp:1.0 | tar -x -O | grep -r "API_KEY"

A production-ready image should show no trace of secret values across any of its layers.

Confirming a Deterministic, Well-Defined Startup Command

The image's CMD or ENTRYPOINT should clearly, deterministically start the application, without relying on manual intervention or an undefined default shell.

ENTRYPOINT ["node", "dist/server.js"]

Checking the Image's Overall Size and Layer Count

A bloated image with unnecessary layers or files suggests the build process itself may need further refinement before being considered production-ready.

docker images myapp:1.0
docker history myapp:1.0

Why Production Image Readiness Matters

Confirming an image itself — independent of deployment configuration — meets these specific qualities is a necessary, distinct check within the broader production readiness assessment, ensuring the artifact being deployed is genuinely appropriate for that purpose.