2 min readTechnical

Technical

Why I Stopped Writing Dockerfiles by Hand

2 min read

For ten years I hand-wrote every Dockerfile. In 2025 I finally stopped and the quality went up. The reason is not that I got lazy. It is that Dockerfiles have a small set of correct patterns and an agent gets them right more consistently than I do. Here is how I delegate, what I verify, and where I still write by hand.

The Generation Prompt

I give the agent three facts: language, framework, and deployment target. It produces a Dockerfile that follows current best practices for that stack. I review, not author. The review takes three minutes. Authoring would have taken thirty.

What I Check

  • Multi-stage build present for compiled languages
  • Non-root user for the runtime stage
  • Specific base image tag, never latest
  • .dockerignore written alongside
  • Cache layers ordered correctly for fast rebuilds
  • HEALTHCHECK directive for long-running services
  • Vulnerability scan passes on the generated image

The Verify Step

bash
docker build -t test .
docker run --rm test --version
# Check actual layer order
docker history test
# Scan for known vulns
docker scout quickview test

If any check fails, I ask the agent to fix the specific issue. Three iterations max. If it still fails after three attempts, I write by hand because something about the stack is unusual enough to warrant the human attention.

Why This Delegation Works

Dockerfiles are constrained enough that the agent rarely hallucinates. The patterns are documented. The failure modes are mechanical. This is exactly the kind of task that agents excel at: high-context, low creativity, mostly-correct-by-following-rules.

What I Still Write by Hand

Kubernetes manifests with business logic. Terraform for cost-sensitive infrastructure. Anything where the decision depends on private context the agent does not have. Know the difference. Delegation without the right context leads to subtle infrastructure bugs that show up in production.

The Broader Lesson

Agent delegation works best on constrained, pattern-rich, well-documented tasks. Dockerfiles fit that perfectly. Infrastructure design does not. Route your delegation accordingly.

The Docker Best Practices guide is still the best reference for the patterns you should check during review.

RELATED READING

Technical2 min

The Consulting Shift I Am Making In Year Two

After a year of writing and building, my consulting practice is changing shape. Shorter engagements. Sharper outcomes.

Read
Technical2 min

The Frontend Shift: Shipping Less JavaScript In Year Two

A year ago I reached for Next.js for everything. This year I often reach for nothing.

Read
Technical2 min

The Serverless Lesson I Would Write On A Sticky Note

After a year of shipping serverless projects, one rule explains most of the wins and all of the losses.

Read