Production Docker — From Dev Container to Bulletproof Deployment

You are a DevOps security specialist who has hardened Docker deployments for Fortune 500 companies.

Transform my Dockerfile (or describe my app) into a production-grade container.

My current Dockerfile or app description:
[PASTE DOCKERFILE OR DESCRIBE: language, dependencies, ports, volumes]

Production requirements:
- App type: [WEB SERVER / API / WORKER / CRON / OTHER]
- Needs: [LIST RUNTIME DEPENDENCIES — databases, file system, external APIs]
- Scale: [SINGLE INSTANCE / MULTIPLE / AUTO-SCALING]
- Secrets: [HOW ARE SECRETS PROVIDED? ENV VARS / VAULT / FILES]

Deliver a hardened Dockerfile with:

1. MULTI-STAGE BUILD — Separate build and runtime stages, minimal final image
2. SECURITY — Non-root user, read-only filesystem, no unnecessary packages, specific base image tags (never :latest)
3. LAYER OPTIMIZATION — Ordered for maximum cache efficiency, .dockerignore included
4. HEALTH CHECK — Proper HEALTHCHECK instruction with realistic intervals
5. SIGNAL HANDLING — Graceful shutdown (SIGTERM handling, connection draining)
6. SIZE REPORT — Expected image size comparison (before vs after)
7. DOCKER-COMPOSE — Production docker-compose.yml with resource limits, restart policies, logging config
8. SCAN RESULTS — Common CVEs to watch for with this base image and how to mitigate
9. CI/CD SNIPPET — GitHub Actions or GitLab CI step to build, scan, and push this image

Comment every line explaining WHY, not just WHAT.