Le multi-stage build Docker est la technique la plus efficace pour réduire la taille de vos images de 5-10x. Au lieu d’un seul stage qui contient build tools + code source + node_modules dev + binaire, on sépare en stages : build (gros) puis runner (minimal).
Voir notre guide Docker complet.
Pattern Node.js
FROM node:20-alpine AS deps
WORKDIR /app
COPY package*.json ./
RUN npm ci
FROM node:20-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npm run build
FROM node:20-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
RUN npm ci --only=production
USER node
CMD ["node", "dist/server.js"]Pattern Go
FROM golang:1.23-alpine AS builder
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /app/myapp ./cmd/myapp
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/myapp /myapp
USER nonroot:nonroot
ENTRYPOINT ["/myapp"]Image finale Go : ~10-20 Mo. Distroless n’a même pas de shell, surface d’attaque minimale.
Pattern Python
FROM python:3.12-slim AS builder
WORKDIR /app
RUN pip install --user --no-cache-dir poetry
COPY pyproject.toml poetry.lock ./
RUN poetry export -f requirements.txt --output requirements.txt
RUN pip install --user --no-cache-dir -r requirements.txt
FROM python:3.12-slim AS runner
ENV PATH=/root/.local/bin:$PATH
COPY --from=builder /root/.local /root/.local
COPY . /app
WORKDIR /app
USER 1000
CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0"]Pattern Bun
FROM oven/bun:1 AS builder
WORKDIR /app
COPY package.json bun.lockb ./
RUN bun install --frozen-lockfile
COPY . .
RUN bun build src/index.ts --target=bun --outdir ./dist
FROM oven/bun:1-slim AS runner
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER bun
CMD ["bun", "run", "dist/index.js"]Astuces
- Order matters : copier package.json d’abord, lock, install — Docker cache les layers
- .dockerignore : exclure node_modules, .git, .env, *.log
- distroless ou scratch pour Go/Rust : surface attaque minimale
- Alpine pour Node/Python : ~50-80 Mo de base, attention aux différences glibc/musl
- Slim Debian : équilibre entre taille et compatibilité