Forem: Mohammad-Ali A'RÂBI

Seven Docker Tips Every Engineer Should Know (from Docker Captains)

Mohammad-Ali A'RÂBI — Mon, 25 May 2026 07:25:00 +0000

Between June and August 2025, Docker shared a short series of practical tips from Docker Captains on Twitter/X. The format was brief, but the advice is worth unpacking. This post is revisiting those seven tips with a little more context and newer examples.

Here are the seven tips, in the chronological order they were shared!

1. Start New Projects with Docker Init

Captain intro: Mohammad-Ali A'rabi is a Docker Captain from Freiburg, Germany, a backend software engineer, Docker community leader, and the author of Docker and Kubernetes Security. His work often sits at the intersection of practical engineering, education, community, and secure-by-default container workflows.

// Detect dark theme var iframe = document.getElementById('tweet-1934618217990754462-547'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1934618217990754462&theme=dark" }

The tweet points to docker init as the fastest way to get a clean Docker setup for a new project:

docker init

The command analyzes your project and generates a set of files that follow Docker's best practices:

Dockerfile
.dockerignore
compose.yaml
README.Docker.md

Read the following article for a detailed walkthrough of docker init with a Java project: Dockerize Java 26 with Docker Init.

2. Clean Up Docker Disk Usage Carefully

Captain intro: Rafael Pazini is a Docker Captain from Sao Paulo, Brazil, and a Senior Software Engineer at Pluto TV. He has more than 10 years of experience building scalable applications, with expertise in distributed systems, microservices, Docker, and Kubernetes.

// Detect dark theme var iframe = document.getElementById('tweet-1937229925515252098-27'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1937229925515252098&theme=dark" }

The command docker system prune is no stranger to Docker users:

docker system prune -a --volumes

The terminal will say:

WARNING! This will remove:
  - all stopped containers
  - all networks not used by at least one container
  - all dangling images
  - unused build cache

Are you sure you want to continue? [y/N]

BTW, did you know [y/N] means "default to No if the user just presses Enter"?

The -a flag removes all unused images, not just dangling ones. The --volumes flag adds unused volumes to the cleanup list. Check it out, and the warning verifies it:

WARNING! This will remove:
  - all stopped containers
  - all networks not used by at least one container
  - all anonymous volumes not used by at least one container
  - all images without at least one container associated to them
  - all build cache

Are you sure you want to continue? [y/N]

A few more handy commands:

docker rmi -f $(docker images -q)  # Force-remove all images
docker volume rm $(docker volume ls -q)  # Remove all volumes

Satisfaction!

3. Use Multi-Stage Builds

Captain intro: Karan Verma is a Docker Captain from Jalandhar, India. He is a software engineer and community leader who has been active in the Docker community in Jalandhar since 2017, with a focus that includes AI and MLOps.

// Detect dark theme var iframe = document.getElementById('tweet-1939768473887916538-62'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1939768473887916538&theme=dark" }

It's not only AI images that can get big. It's better to trim images down, AI or not. It's cost-effective, faster to deploy, and more secure by reducing the attack surface. Multi-stage builds are the way to go for that.

To add to that, docker init already generates a multi-stage Dockerfile for you.

Also, make sure the final stage is hardened with a non-root user and limited privileges. For example, use a base image with no package manager, no shell, and no extra tools.

Another important tip is to generate SBOM attestations during the build:

docker build --sbom=true -t my-image:latest .

This command doesn't automatically include all stages in the SBOM, so you need to add the following line to each stage in your Dockerfile to ensure they are included:

ARG BUILDKIT_SBOM_SCAN_CONTEXT=true
FROM <image> AS stage

4. Choose Lightweight, Version-Pinned Base Images

Captain intro: Sergio Lopes is a Docker Captain from Sao Paulo, Brazil, and a Principal Backend Engineer at Banco Itau Unibanco S.A. Docker highlights his long backend engineering background and expertise in developer productivity, Kubernetes, modern application development, and observability.

// Detect dark theme var iframe = document.getElementById('tweet-1944758785475498198-694'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1944758785475498198&theme=dark" }

This tweet is from July 2025, but the advice is evergreen. Use Docker Hardened Images (DHI) for base images, and pin to a specific version. The DHI are:

Lightweight
Open-source
Secure-by-default

Check the catalog at dhi.io and pick the right image for your language and use case. Search for "node", get into the Node.js image catalog:

Then go to the "Images" tab to see the full list:

In the list of images:

If there is a lock, it's not free to use. Just skip it.
There are Debian and Alpine variants.
There are "dev" variants with build tools and "prod" variants without them.

Find a version, and your Dockerfile should start like this:

# The build stage
FROM dhi.io/node:26.2.0-debian13-dev AS build

# The production stage
FROM dhi.io/node:26.2.0-debian13

The dev image has 10 CVEs and the prod image has 0.

5. Use Docker Scout Quickview

Captain intro: Khushboo Verma is a Docker Captain and Platform Engineer at Appwrite in Bengaluru, India. She is also a community builder and speaker, with Docker listing her expertise in developer productivity, modern application development, and observability.

// Detect dark theme var iframe = document.getElementById('tweet-1947370272115290448-318'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1947370272115290448&theme=dark" }

The docker scout quickview command is a fast way to get a snapshot of your image's security posture. It checks for known CVEs, lists dependencies, and provides metadata about the base image. This is especially useful in CI pipelines to catch vulnerabilities before pushing images to a registry.

Let's do it on the DHI Node.js image:

docker scout quickview dhi.io/node:26.2.0-debian13

The output says:

    i New version 1.21.0 available (installed version is 1.20.3) at https://github.com/docker/scout-cli
    ✓ SBOM obtained from attestation, 20 packages found
    ✓ Provenance obtained from attestation
    ✓ VEX statements obtained from attestation

    i Base image was auto-detected. To get more accurate results, build images with max-mode provenance attestations.
      Review docs.docker.com ↗ for more information.

 Target   │  dhi.io/node:26.2.0-debian13  │    0C     0H     0M     0L
   digest │  f3fb2a06abd6                 │

So, there are no CVEs, and the image has:

SBOM attestation with 20 packages
Provenance attestation
VEX statements attestation

If you want to learn more about these concepts, check out the Docker Commandos workshop on Docker Labspaces: Docker Commandos.

6. Use .dockerignore

Captain intro: Anjan Kumar Reddy Ayyadapu is a Docker Captain and Senior Architect Solution Leader at Cloudera Inc. Docker lists his expertise across AI/ML, CI/CD, Kubernetes, observability, developer productivity, and software secure supply chain work.

// Detect dark theme var iframe = document.getElementById('tweet-1950295464433025395-539'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1950295464433025395&theme=dark" }

The tweet compares .dockerignore to .gitignore, which is exactly the right mental model. .gitignore decides what should not enter version control; .dockerignore decides what should not enter the Docker build context.

Two points on that!

When doing a docker build command, it usually looks like this:

docker build -t my-image:latest .

The . at the end is not the Dockerfile path; it's the build context path. It means, "send the current directory and all its contents to the Docker daemon for the build".

Anjan says blacklist some files with .dockerignore, I would say whitelist some files with .dockerignore. Start with a clean slate, and add only what you need. For example:

# .dockerignore
*

!src/
!package.json
!package-lock.json

7. Limit Container Privileges

Captain intro: Mohammad-Ali A'rabi appears again in Docker's series, this time with a security tip. It's not me promoting myself, it's Docker!

// Detect dark theme var iframe = document.getElementById('tweet-1953561787623788652-733'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1953561787623788652&theme=dark" }

Just for context: Linux capabilities are granular permissions that can be independently enabled or disabled for processes. Similar to the whitelisting approach of .dockerignore, you can start with a clean slate by dropping all capabilities and then adding only the ones your application needs. For example:

docker run --cap-drop=ALL --cap-add=NET_ADMIN my-image:latest

It's similar in a Kubernetes pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
    - name: my-container
      image: my-image:latest
      securityContext:
        capabilities:
          drop: ["ALL"]
          add: ["NET_ADMIN"]

To learn more about Linux capabilities and how to use them in Docker and Kubernetes, check out the book Docker and Kubernetes Security.

Conclusion

I wish Docker starts sharing more tips from Docker Captains, and I hope this post helps expand on the original tweets with more context and examples. If you have any questions or want to share your own Docker tips, feel free to reach out on LinkedIn or Twitter/X.

Happy Dockerizing!

My Cloud-Native Journey: Docker, Kubernetes, Security, and Open Source

Mohammad-Ali A'RÂBI — Wed, 20 May 2026 22:06:56 +0000

TL;DR: Over the past year, I published Docker and Kubernetes Security, evolved the Docker Black Forest meetup into a CNCF chapter, delivered 15 global engagements across 6 countries, and joined LFX and GSoC as mentor. This post reflects on my journey from Docker Captain to CNCF Ambassador applicant, focused on education through storytelling and building secure supply chains.

In early 2024, I wrote an article titled How to Become a Docker Captain, chronicling my journey from a casual Docker user in 2015 to an official community leader. Today, as a Senior Backend Engineer at JobRad GmbH, a Docker Captain, and a Snyk Ambassador, my perspective on infrastructure has grown. Containers don't live in a vacuum—they are part of a massive, interconnected cloud-native ecosystem.

As I submit my application for the CNCF Ambassador program, I wanted to take a moment for a mid-year check-in to reflect on the community work, authorship, and open-source contributions I've been focused on between May 2025 and May 2026.

Here is what the journey has looked like over the past year.

1. Build a Cloud-Native Community

Back in 2022, I founded the Docker Black Forest meetup because I was looking for a local community to join. Over time, as our discussions expanded beyond containerization into Kubernetes and secure supply chains, I joined forces with the DevOps Meetup Freiburg to evolve into a broader Cloud Native Freiburg chapter. This was a natural progression, as the lines between DevOps, containers, and cloud-native technologies are increasingly blurred.

DockBurg.com is the community hub, that brings Cloud Native Freiburg and Docker Black Forest together under one roof.
Cloud Native Freiburg is the CNCF Chapter. Since its founding in April 2025, we have had 10 in-person events, with an average attendance of 20 people.
Docker Freiburg and Black Forest with about 400 members, 19 events, and a rating of 4.7/5 across ~50 reviews on Meetup.com.
DevOps Meetup Freiburg with about 600 members, 25 events, and a rating of 4.7/5 across ~40 reviews on Meetup.com.

And we had some high-profile speakers, including:

Lize Raes, Docker Captain, Java Champion, and Developer Advocate at Oracle
Timo Stark, Docker Captain and Head of IT
Jonas Scholz, Docker Captain and Co-founder of Sliplane

Docker and Kubernetes Security: Implementing Supply Chain Security and Runtime Security for Containers from Development to Production - Docker and Kubernetes Security - Docker and Kubernetes Security

Learn to secure containers and clusters—from supply chain to runtime. This comprehensive guide covers Docker fundamentals, Kubernetes security, CI/CD integration, and future trends.

dockersecurity.io

2. Write the Book (and Tell a Story)

In October 2025, after nearly two years of writing and 170 git commits, I published my book, Docker and Kubernetes Security. It was an absolute honor to see it nominated as a finalist for the Best DevOps Book of the Year at the DevOps Dozen 2025 awards. To support the book's educational mission, I also launched DockerSecurity.io as an accompanying platform, where I publish regular updates and made the first two chapters available for free to the community.

But let's be honest: Security policies can be dry and cause cognitive fatigue. To fix this, I experimented with narrative-driven technical fiction:

Black Forest Shadow — A Dark Fantasy Guide to Docker and Kubernetes Security - Docker and Kubernetes Security - Docker and Kubernetes Security

A dark fantasy novel set in the Black Forest of 1865 that teaches Docker and Kubernetes security through narrative — covering CVE hunting, SBOM generation, runtime hardening, and container security.

dockersecurity.io

In December 2025, I launched the Black Forest Shadows: Container Security Advent Series, publishing 24 sequential parts across DEV.to and Medium.
This series utilized an 1865 folklore setting where CVEs were literal monsters, helping junior engineers grasp complex DevSecOps principles.
This highly successful experiment is evolving into a full publication titled Black Forest Shadow: A Dark Fantasy Guide to Docker and Kubernetes Security, which was published on Friday the 13th of March 2026.

I was also involved in reviewing Operational AI with Docker by Ajeet Singh Raina and Harsh Manvar, which was published in May 2026. I had the honor of being a technical reviewer for the book, and I shared some exclusive behind-the-scenes insights about it in my book review.

3. Black Forest Commandos: Talks and Workshops

In June 2025, I did a short talk at PlatformCon 2025 about "10 Docker commands you didn't know about". It was a mix of AI and security.

Bake a Docker Cake — Talk by Mohammad-Ali A'râbi - Docker and Kubernetes Security - Docker and Kubernetes Security

A PlatformCon talk on 10 lesser-known Docker commands for improving development workflows, vulnerability scanning, supply chain security, and local AI workflows.

dockersecurity.io

There I talked about Docker Scout, Trivy, Cosign, SBOM attestations, and Docker Bake (hence the name of the talk: Bake a Docker Cake).

In October 2025, I did a workshop version of the same talk at the WeAreDevelopers World Congress in Berlin, which was a huge success. The workshop was attended by 40 people, while 100 more were waiting behind the doors to be let in.

Docker Deep Dive with a Docker Captain — Docker Commandos Workshop - Docker and Kubernetes Security - Docker and Kubernetes Security

The workshop that started it all. Over 100 people queued for 40 seats at WeAreDevelopers World Congress 2025. Covered Docker Init, Docker Bake, SBOMs, attestations, and Docker Scout.

dockersecurity.io

I did the same internally at JobRad, and called it 10 Docker Commandos, which is a play on "10 Docker commands" (as in German, the word for command is Kommando).

In early 2026, I took the main stage at Jfokus 2026 in Stockholm to teach "Dockerize Securely".

Dockerize Securely — Talk by Mohammad-Ali A'râbi - Docker and Kubernetes Security - Docker and Kubernetes Security

A Jfokus talk on building secure container images using SBOMs, OCI 1.1 attestations, and Docker Bake, told through the narrative of the Docker Commandos in Asgard.

dockersecurity.io

I was telling a story about the Black Forest Commandos defending the realm of Asgard against CVE monsters. It was Asgard, because we were in Sweden and the conference was Viking-themed.

On the same week, I turned the talk into a blog post for JAVAPRO, and created 10 original Black Forest Commandos personas, each representing a different Docker command or security tool.

The blog post is published on JAVAPRO's website:

10 Docker Commandos: Docker Commands to Hunt the Predator

Later, Rabobank and Docker, Inc. jointly invited me to do a workshop on behalf of Docker at their internal conference in Utrecht, Netherlands. The workshop was attended by 50 people, and the Commandos traveled to Utrecht.

Docker Commandos v1.5 — Docker Commandos Workshop - Docker and Kubernetes Security - Docker and Kubernetes Security

Docker Commandos v1.5 at Rabobank, part of their Docker Champions program. Full supply-chain security pipeline from Docker Init to cryptographic signing and zero-day runtime defense.

dockersecurity.io

The 10 Commandos are (from left to right):

Gord - Docker Init
Rothütle - Docker SBOM
Jack - Docker Scout
The Valkyrie - SBOM Attestations
Artemisia - Docker Hardened Images
Mina - VEX Exemptions
RuinTan - VEX Attestations
Captain Ahab - Docker Bake
Evie - Cosign
Agent Null - Zero-Day Defense

The Black Forest Commandos then went to Cologne for JCON Europe 2026, where I used Docker Labspaces to launch the Docker Commandos workshop.

Java Supply Chain Security with Docker — Docker Commandos Workshop - Docker and Kubernetes Security - Docker and Kubernetes Security

Docker Commandos adapted for a Java audience at JCON Europe 2026. Supply chain security, SBOMs, and attestations — using Docker tooling with a Java project as the target.

dockersecurity.io

docker compose -f oci://docker.io/aerabi/docker-commandos-labspace up -d

The team is called Black Forest Commandos because they are a continuation of the Black Forest Shadows story, but the workshop series are called Docker Commandos being the Dutch and German name meaning "Docker Commands".

The Commandos went on the stage of DevOpsDays Zurich in May 2026 and will be at EnterJS in Mannheim in June 2026, where I will talk about "Defense Against the Dark Arts: NPM Attack".

Black Forest Commandos are in:

Black Forest Commandos — Narrative-Driven Container Security Workshop - Docker and Kubernetes Security - Docker and Kubernetes Security

A hands-on container security workshop told through the story of 10 commandos fighting CVE monsters in Asgard. Covering SBOMs, attestations, hardened images, VEX, Docker Bake, Cosign, and zero-day defense. (Previously known as Docker Commandos).

dockersecurity.io

Docker Commandos in-person workshop series
Docker Labspaces DIY workshops
Asgard Arcade: a set of card games published on DockerSecurity.io
Swiss Jass: Commandos Edition: a Commando-themed version of the popular Swiss card game, Jass
Upcoming: Black Forest Commandos: Asgard Mission, comic book that follows the Commandos on a mission to Asgard.

I started doing the comic book as I was asked a few times.

4. Mentor the Next Generation

I started writing in 2021 since I was mentoring a few junior engineers at work, and I realized those answers could be useful for a wider audience. I also wanted to give back to the community that had given me so much. So, mentoring others has always been more educational for me than for the mentees.

Because I joined a team of senior engineers at JobRad, I suddenly found myself without junior colleagues to mentor. To fill that gap, I turned to the open-source world:

In 2025, I joined the Linux Foundation Mentorship (LFX) Program. I had the immense privilege of managing a cohort of 24 active mentees, successfully guiding three of them to full graduation.
This term, I am acting as a primary mentor for The Linux Foundation during Google Summer of Code (GSoC) 2026.
Alongside my co-mentors, I am guiding our mentee through a highly critical engineering project: "CISA 2025 SBOM Conformance and SPDX 3 Support".

5. Contribute to the Core

I still remember going to my favorite café every Sunday to write. That habit hasn't died.

I am a frequent contributor to DEV.to (76 total articles, 37 in 2025) and Medium (93 total, 31 in 2025), alongside my dedicated posts on DockerSecurity.io/blog.
I continue to author the Git Weekly newsletter, which has 500 subscribers and 29 issues published so far.
In 2026, I started the Docker Security Dispatch to keep the DevSecOps community updated on container security postures and CVE alerts. With only 2 issues published so far, it has already attracted 400 subscribers.

I'm honored to be on the Docker's official docs workgroup, where I contribute to the guides and reference documentation. I co-authored the C++ guide and have added the security sections to it.

Impact at a Glance

Since May 2025, I've had the privilege of sharing my journey and knowledge across various stages and formats. Here is a summary of my impact:

Speaking & Training Engagements

Between May 2025 and July 2026, I will have delivered a total of 15 engagements across 6 countries and online:

8 Talks 🎤
4 Workshops 🛠️
3 Interviews 🎙️

Locations included: Germany 🇩🇪 (9), Sweden 🇸🇪 (1), Switzerland 🇨🇭 (1), Netherlands 🇳🇱 (1), and Global/Online 🌐 (3).

Legend: 🎤 Talk | 🛠️ Workshop | 🎙️ Interview

Date	Title	Event / Venue	Location
27.06.2025	🎤 Bake a Docker Cake	PlatformCon 2025	Online 🌐
08.07.2025	🛠️ Docker Deep Dive with a Docker Captain	WeAreDevelopers World Congress	Berlin 🇩🇪
25.07.2025	🎙️ Docker Captain, DevSecOps, and Developer Advocacy	TACOS Podcast	Online 🌐
11.09.2025	🛠️ 10 Docker Commandos	JobRad GmbH	Freiburg 🇩🇪
01.10.2025	🎤 5 Docker Commandos	#cTENcf Birthday Bash Freiburg	Freiburg 🇩🇪
06.11.2025	🎤 Node.js Supply Chain Security + dhi	Node.js Meetup #46	Berlin 🇩🇪
03.02.2026	🎤 Dockerize Securely: SBOMs + Attestations + Bake	Jfokus 2026	Stockholm 🇸🇪
27.03.2026	🛠️ Docker Commandos v1.5	Rabobank Utrecht	Utrecht 🇳🇱
20.04.2026	🛠️ Java Supply Chain Security with Docker	JCON Europe 2026	Cologne 🇩🇪
20.04.2026	🎙️ Interview with Baruch Sadogursky at JCON Europe	JAVAPRO / Tessl	Cologne 🇩🇪
24.04.2026	🎙️ Writing a Tech Book: Docker and Kubernetes Security	JobRad Podcast: Increase Cycle Time	Freiburg 🇩🇪
06.05.2026	🎤 Beyond SBOMs: The Future of Container Supply Chain Security	DevOpsDays Zurich 2026	Zurich 🇨🇭
16.06.2026	🎤 Defense Against the Dark Arts: NPM Attack	EnterJS 2026	Mannheim 🇩🇪
09.07.2026	🎤 Dockerize Java Securely: SBOMs + Attestations + Bake	WeAreDevelopers World Congress	Berlin 🇩🇪
10.07.2026	🎤 Beyond SBOMs: The Future of Container Supply Chain Security	WeAreDevelopers World Congress	Berlin 🇩🇪

Pillars of Impact

Pillar of Impact	Key Highlights
Community Leadership	Evolving local meetups into the CNCF Cloud Native Freiburg chapter with ~1,000 combined members.
Content & Authorship	Publishing Docker and Kubernetes Security, launching DockerSecurity.io, and maintaining multiple blogs and newsletters.
Speaking & Training	Delivering the Docker Commandos workshops globally, from Jfokus in Sweden to JCON in Cologne.
Open Source Mentorship	Managing 24 LFX mentees and serving as a primary mentor for GSoC 2026.

Conclusion: The Path Ahead

The theme of the year has been Education by Storytelling. It started with the Black Forest Shadows series, evolved into the Black Forest Commandos, and now I'm working on a comic book about the Commandos' mission to Asgard. There also have been some spin-offs, like the Swiss Jass: Commandos Edition card game or my other article on JAVAPRO:

The Whispering JAR: Java Security Lessons Hidden in a Fantasy Tale

I'm excited to see what the next year will bring. Perhaps I'll see you in Black Forest, in Asgard, or maybe at the next KubeCon!

Book Review: Operational AI with Docker

Mohammad-Ali A'RÂBI — Wed, 20 May 2026 07:32:00 +0000

In my Q1 2026 Docker Read List, I dropped a little hint that I was involved in reviewing an exciting upcoming book for Q2. Well, the secret is finally out! I had the absolute honor of being a technical reviewer for Operational AI with Docker, written by my friends and fellow experts Ajeet Singh Raina and Harsh Manvar.

The Complete Docker Read List: Q1 2026 Edition - Docker and Kubernetes Security - Docker and Kubernetes Security

A curated reading list of the best books on Docker and Kubernetes for the first quarter of 2026, featuring releases from Docker Captains and industry experts.

dockersecurity.io

I love a good narrative in my technical books. The authors definitely brought some drama to the text, which I absolutely loved about this book. I had the chance to review the last four chapters of the book, and would love to share some exclusive behind-the-scenes insights about the book, as well as my thoughts on it.

Authors

Well, the authors need no introduction, but I'll still give you one.

Ajeet Singh Raina was a Docker Captain for six years until he was hired by Docker as a Developer Advocate. He was my first point of contact when I started my journey in the Docker community, and we published three blog posts together on the Docker blog. He is an absolute legend, the man behind the Collabnix Community, and a great mentor to many in the container ecosystem.

Harsh Manvar is a Senior Software Engineer at Oracle, a Docker Captain, and a CNCF Ambassador. Similarly, he is also an absolute star in the Indian container ecosystem, and has been a great mentor to many in the community. I had the pleasure of meeting him in person at the Docker Captains Summit in 2025, when he shared with me his plans for the book, and I was immediately excited about it.

The Book's Final Act: From MCP to KAgent

Chapter 6. The authors introduced the Docker MCP Gateway flawlessly. Before getting into the details, they did a great job of setting the stage by showing exactly why we need a gateway, and why it is painful to connect different MCP servers directly. It's great that the authors let you feel the pain, instead of just telling you about it.
Chapters 7 and 8. These chapters dive heavily into using AI agents and orchestrating multiple AI agents using Python. The chapters are packed with multiple examples and Docker Compose projects. The chapters might feel a bit overwhelming or tedious for readers, but it perfectly shows how one can use AI agents in a real-world scenario, and create a complex system that can solve a problem end-to-end. These two chapters are practically every Hollywood movie 70 minutes in, when it feels we're at impossible odds, and there is no way out.
Chapter 9. The grand finale covers Docker Sandboxes, Docker Agent, and KAgent. Let me tell you, this is an awesome way to end the book. It suddenly becomes clear that any pain we had to endure in Chapter 8 was entirely intentional: it was just to make the out-of-the-box experience of Docker Agent and KAgent shine! Suddenly eagles come and Frodo is on his way to Valinor!

Final Thoughts

The book is purely practical, impossibly fresh, and skillfully dramatic. It teaches you the basics and the advanced features of Docker MCP, Docker Agent, and KAgent. It lets you feel the pain and the joy of better tools. It is a must-read for anyone interested in the future of AI and how it can be operationalized using Docker. It's a great read, sometimes a bit overwhelming, but always rewarding. You need it in your library, and you need to read it.

Swiss Jass: Commandos Edition is Now on the Google Play Store

Mohammad-Ali A'RÂBI — Mon, 18 May 2026 12:18:30 +0000

Swiss Jass: Commandos Edition is now available on the Google Play Store! This mobile card game app brings the classic Swiss card game Jass to your phone, featuring a unique Black Forest Commandos theme.

Swiss Jass: Commandos Edition - Apps on Google Play

Play a mobile-friendly version of Jass with Black Forest Commandos characters.

play.google.com

The book Docker and Kubernetes Security started with a battle scene between Gord, Rothütle, Jack, and a CVE monster. Those three characters we met again in Black Forest Shadow, with Evie joining them. The events of Black Forest Shadow are set in late 1865, happening over 3 days in the Black Forest. The Commandos are on a mission to stop CVE monsters from spreading chaos across the region.

Black Forest Shadow — A Dark Fantasy Guide to Docker and Kubernetes Security - Docker and Kubernetes Security - Docker and Kubernetes Security

dockersecurity.io

Between those events and the Asgard Mission, the characters recruit new members: Mina (aka Wilhelmina), Agent Null, The Valkyrie, and Captain Ahab. The Commandos are now a team of 8, and they are summoned by Thor to go to Asgard and stop the CVE monsters from invading the realm of the gods. During this mission, two new Commandos join them: Artemisia and RuinTan.
Those events are depicted in the workshop series Docker Commandos as well as the upcoming comic book Black Forest Commandos: Asgard Mission.

Characters

The Black Forest Commandos are a team of 10 characters:

Gord: The leader of the Commandos, a skilled strategist and fighter. She wears plate armor and wields a sword glowing blue with the power of the Okterakt, a time-manipulation device.
Rothütle: The second-in-command, a master of strategy and tactics. He wears a red fedora and an orange T-shirt, showing that he's a member of the Red Team.
Jack: The wildcard of the group, he started off helping the CVE monsters but later switched sides to join the Commandos. He was a miner in the Black Forest Shadow book, but in the Asgard Mission he's a cyborg soldier with advanced scouting abilities.
Evie: The cowgirl and infiltrator of the Commandos. She wears a brown cowboy hat and a leather jacket, is a skilled sniper and scout.
Mina: The pale undead assassin of the Commandos. She had a dispute with Hades, the god of the underworld, and was cursed to be alive. She can't eat, but gets energy from photosynthesis. She wears black tactical gear and has dark hair.
Agent Null: The masked tactical soldier of the Commandos. No one knows anything about him, not even his name. He likes an MP5SD and wears a skull balaclava.
The Valkyrie: The blonde guardian of the Commandos. She wears modern tactical armor and has tattooed arms. She's a fierce fighter and protector of the team.
Captain Ahab: The bearded veteran of the Commandos. He's a naval captain and mostly chauffeurs the team around.
Artemisia: An Amazonian warrior who joins the Commandos during the Asgard Mission. She has fought in the Battle of Salamis and was sent to Asgard after she was angered by Zeus for not siding with the Olympians during the battle.
RuinTan: The hulking champion of the Commandos. He was honored with immortality by the prophet Zarathustra in 1500 BC, and bears the name RuinTan, literally meaning "bronze-bodied". He wears heavy golden armor and wields a massive sword.

Gameplay

Swiss Jass, also known as Schieber Jass, is a popular trick-taking card game in Switzerland. The game is played with a 36-card deck, which is a standard deck with the 2s, 3s, 4s, and 5s removed. The Swiss suits are:

Bells (Schellen)
Acorns (Eicheln)
Roses (Rosen)
Shields (Schilten)

In the Commandos Edition, you can use the Commandos suits:

Shields
Attestations
Hardened
Signatures

Each suit has 9 cards, ranked from highest to lowest as follows:

Rank (French)	Rank (Swiss)	Commandos name	Points	Points in Trump
A = Ace	D = Deuce	Artemisia	11	11
K = King	K = König	Gord	4	4
Q = Queen	O = Ober	Rothütle	3	3
J = Jack	U = Under	Jack	2	20
10	10 / Banner	Agent Null	10	10
9	9	Mina	0	14
8	8	The Valkyrie	0	0
7	7	Captain Ahab	0	0
6	6	RuinTan	0	0

The game is played with four players in two fixed partnerships. The objective is to be the first team to reach 1000 points across multiple rounds. Each round consists of 9 tricks, and players must follow suit if they can. Players can always play a trump card.

At the beginning of each round, players can choose a trump suit or play Schieben to pass the decision to their partner. In the trump suit, Jack the Buur (the Jack) is the highest card, followed by Mina the Nell (the 9).

Conclusion

You can download Swiss Jass: Commandos Edition on the Google Play Store here. The app is free to play and has no ads or in-app purchases.

On the website, there is also the Asgard Arcade, a collection of mini-games inspired by the Commandos and the Asgard Mission. You can play an online version of Jass there as well, together with 3 other mini-games:

Asgard Siege: Match the right commando to the right CVE monster to defend Asgard.
Blackjack: A classic card game where you try to get as close to 21 points as possible without going over.
Reference Deck: Simple card-comparison game to learn about each commando's abilities.

Black Forest Commandos — Narrative-Driven Container Security Workshop - Docker and Kubernetes Security - Docker and Kubernetes Security

dockersecurity.io

Generating SBOM with Docker Scout

Mohammad-Ali A'RÂBI — Thu, 23 Apr 2026 18:40:34 +0000

Knowing what's inside your container is the first step to securing it. In the first commando mission, we dockerized a Java 26 project using Docker Init. Now that we have an image, it's time to see what's actually in it.

The Mission: Who Lives in Asgard?

Rothütle, the tactician of the Docker Commandos, asks Thor for a list of all Asgard residents. Why? Because you can't defend a city if you don't know who's inside. By getting this list, you can later cross-reference it with known threats and identify the shadows in disguise.

Technical Requirements

Docker Desktop that is not too old, or
Docker Scout CLI plugin installed.

To make sure you have the Docker Scout plugin, run:

docker scout --help

Generate the SBOM

We'll use docker scout sbom to peek inside our image. If you followed the previous post, you have an image built from your project. Let's assume you tagged it hello-wowlrd:latest.

docker scout sbom hello-wowlrd:latest --format list

The --format list flag gives you a clean table of all the packages, their versions, and types (e.g., deb, maven).

Exporting to Standard Formats

While a table is great for humans, tools prefer standard formats like SPDX or CycloneDX. Let's export our SBOM to a JSON file using the SPDX format:

docker scout sbom hello-wowlrd:latest --format spdx --output sbom.spdx.json

If you investigate the file, you will see a detailed inventory:

jq . sbom.spdx.json | less

This file contains every package, its version, and its license—perfect for compliance and automated scanning. You can check available formats by running docker scout sbom --help. Try exporting in CycloneDX format and compare it with the SPDX output!

Exercise: Comparing Base Images

One of the best ways to understand the value of an SBOM is to compare different base images. For example, let's look at the difference between a standard Node.js image and its Alpine counterpart:

docker scout sbom node:25 --format list

Versus:

docker scout sbom node:25-alpine --format list

You'll notice that the Alpine version is significantly smaller, with fewer packages. This is why "minimal base images" are a core tenet of container security—fewer residents mean fewer places for CVE monsters to hide.

What's Next?

Now that we have our list of residents, the next mission is to find the monsters. In the next post, we'll use Docker Scout to scan for CVEs.

Want the full mission? Visit Docker Commandos or request a workshop.

7 Noob Git Tips

Mohammad-Ali A'RÂBI — Tue, 14 Apr 2026 15:53:41 +0000

#Git_Noob_Tip is a title for a set of beginner-friendly git tips that I tweet every week. At the time this post is being published, I have tweeted 7 of those, and I'm going to compile them together into this post. I'll also add context and more details.

Tip 1. Delete Remote Branch

// Detect dark theme var iframe = document.getElementById('tweet-1517458191910531072-746'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1517458191910531072&theme=dark" }

Deleting a local branch is rather easy:

git branch -d <branch>

The -d flag checks if the branch is merged and then deletes it. To delete a local branch no matter what, we have to use the big D:

git branch -D <branch>

Then, it comes to deleting a remote branch from git's CLI:

git push origin --delete <branch>

Of course, one can delete a remote branch using the UI application that manages the remote repo, e.g. GitHub or GitLab. But this is handier.

Also, to check what remote branches there are, you can list them using:

git branch --remote

Tip 2. Rename or Move a File

// Detect dark theme var iframe = document.getElementById('tweet-1519994911654825984-770'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1519994911654825984&theme=dark" }

So, once I went to work and my colleague told me: "We should tell John to change his script to do that." Of course, the script was written by me. What did John do? He moved the script to a subdirectory and changed two lines of it.

Git usually gets confused when you rename/move a file and change its content at the same time. Git would think the old file was deleted and a new file was created. All of the version history is simply lost.

To prevent such things from happening, one should rename or move, using git:

git mv <src> <dest>

Instead of doing:

mv <src> <dest>

Tip 3. Rebase When Pulling Master

// Detect dark theme var iframe = document.getElementById('tweet-1522531843446390785-488'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1522531843446390785&theme=dark" }

When pushing, your local branch must be ahead of the remote branch, otherwise, the push is rejected. This is called the "fast-forward rule". In the case of a feature branch, one can force-push, but one should never force-push to master.

So, always keep your local master ahead.

That is done by rebasing. When you want to update your master branch with the remote repo, and especially when you have local changes, do a rebase pull:

git pull --rebase origin master

Otherwise, a merge commit might be created on your local repo and you can never push to master again.

Tip 4. Git Default Branch

// Detect dark theme var iframe = document.getElementById('tweet-1525068639631814659-755'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1525068639631814659&theme=dark" }

A bit of context: Until some 2 years ago, the default branch of every git repository was called "master". It was a synonym for "the default branch". Then there was an initiative to change this because it was offensive to some people. GitHub was the first one to react and changed the default branch name to "main". On git, the default branch name stayed "master", but an option was added to change it.

So, until recently, if you initialize a git repo locally, the default branch name would be master:

git init

This behavior was changed in the last version, and now it actively asks you to "set" a default branch name before it allows you to init. This is done as follows:

git config --global init.defaultBranch <name>

Some popular names are the following:

master: the original name
main: the one popularized by GitHub
trunk: the name used by the older version control tool, SVN
development: used in the repos with a certain workflow

Tip 5. Stash Message

// Detect dark theme var iframe = document.getElementById('tweet-1527605134318096384-435'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1527605134318096384&theme=dark" }

Git stash is a place to store your unfinished work to do things like changing the branch or pulling the latest changes. Then one can pop the changes and continue working.

Although the stash is designed not to become too large, it might. I usually end up having 20 different stashed changes and not knowing what is what and finally dropping them all.

This can be avoided by adding a message to your stash:

git stash push -m <message>

Then, when you want to look at your stash, you also see the messages:

git stash list

Tip 6. Auto-Stash

// Detect dark theme var iframe = document.getElementById('tweet-1530144576970924032-548'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1530144576970924032&theme=dark" }

This one is a child of tips 3 and 5. First of all, if we want to rebase every time we pull, why not make it the default? Also, if we want to stash our uncommited changes every time we pull/rebase, why not make it automated? That's what this tip is about:

git config --global pull.rebase true
git config --global rebase.autoStash true

By setting these config values, next time you have some changes in your local, you can still do a pull. The changes will be stashed, a rebase will happen on your branch, and the changes will be poped from the stash.

Tip 7. Push Default Branch

// Detect dark theme var iframe = document.getElementById('tweet-1532703423941984260-924'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1532703423941984260&theme=dark" }

Let's say you created a new branch locally, named my-fantastic-branch, and you want to push it to the remote repo. The first time you're pushing, you need to specify the name again and instruct git that this is your "upstream" branch from now on so that git creates the branch on the remote repo:

git push --set-upstream origin my-fantastic-branch

This is usually tedious and prevents people from using descriptive branch names. To avoid this and set the remote branch to have the same name as the local one by default:

git config --global push.default current

Next time on push, there is no need to repeat yourself.

Securing Asgard: Why I Built a Card Game Suite for Docker Security

Mohammad-Ali A'RÂBI — Fri, 03 Apr 2026 12:28:14 +0000

This is a submission for the DEV April Fools Challenge

What I Built

What do you do when you have a series of narrative-driven Docker security workshops featuring 10 elite "Commandos" fighting CVE monsters in Asgard?

You could write more documentation. You could add more tests. Or, you could do the most "anti-value" thing possible: Build a full-featured arcade suite where these security characters play Blackjack and Swiss Jass.

Presenting the Asgard Arcade: A collection of four utterly useless but technically over-engineered games designed to distract developers from actual security work while simultaneously drilling "Security Metaphors" into their brains.

The Lore: Docker Commandos & Black Forest Shadow

The Docker Commandos are a team of 10 elite specialists, each representing a core Docker security feature (e.g., Gord is docker init, Jack is docker scout). Their journey began in the Black Forest Shadow universe—a dark fantasy retelling of container security where warriors fight shadowy monsters called CVEs in the year 1865.

From the 19th-century Black Forest to the futuristic golden districts of Asgard, these characters teach DevSecOps through immersive storytelling.

Black Forest Shadow — A Dark Fantasy Guide to Docker and Kubernetes Security - Docker and Kubernetes Security - Docker and Kubernetes Security

dockersecurity.io

The Games:

Asgard Siege (Tactical Defense): A game where you must counter CVE threats (like "The Supply Chain Hydra") by deploying the correct Commando. Choose wrong, and Asgard's security level crashes.
Blackjack with Jack: Standard Blackjack, but against Angra (the shadow villain). If you are dealt Jack (the Cyborg Commando), you get a "Scout Bonus" to see the dealer's hidden card.
Asgardian Jass (Schieber): A 4-player Swiss trick-taking game. We replaced standard suits with Shields, Attestations, Hardened Images, and Signatures. Jack is the "Bure" (highest trump).
The Reference Deck: A simple card-comparison game to learn the "Power," "Stealth," and "Legacy" stats of each character.

Demo

You can experience the arcade yourself at dockersecurity.io/commandos (scroll down to the "Asgard Arcade") or jump directly into a game below:

The Tactical Siege

Docker and Kubernetes Security

From supply chain to runtime: build safer images, lock down clusters, instrument logging & audit trails, and stay ahead of emerging threats. The comprehensive guide by Mohammad-Ali A'râbi.

dockersecurity.io

Blackjack with Jack

Docker and Kubernetes Security

From supply chain to runtime: build safer images, lock down clusters, instrument logging & audit trails, and stay ahead of emerging threats. The comprehensive guide by Mohammad-Ali A'râbi.

dockersecurity.io

Asgardian Jass

Docker and Kubernetes Security

From supply chain to runtime: build safer images, lock down clusters, instrument logging & audit trails, and stay ahead of emerging threats. The comprehensive guide by Mohammad-Ali A'râbi.

dockersecurity.io

Code

The project is built within the official DockerSecurity.io website repository.

How I Built It

Full Disclosure: Every single game in this arcade, the UI components, the AI logic, and even this very blog post were entirely developed and written by Gemini CLI, an interactive agent. I simply provided the "utterly useless" vision, and the agent executed the over-engineering.

Built with Next.js 14, Tailwind CSS, and Radix UI.

The Jass Engine: Features a heuristic AI for your partner (Evie) and opponents (Angra & Jack the Miner) that follows suit rules, handles trump logic, and manages complex turn states.
Dynamic State: Utilizes React state machines to manage trick resolution, "Zero-Day Exploit" dealer logic in Blackjack, and the deteriorating security level of Asgard during sieges.
Accessible Visuals: Custom character portraits with responsive aspect ratios and high-visibility suit indicators (e.g., Shields for SBOMs, Fingerprints for Identity).

Prize Category

I am submitting this for the Community Favorite category.

While it solves exactly zero real-world security vulnerabilities, it turns the grueling task of learning supply-chain security (SBOMs, Provenance, VEX) into a series of addictive arcade games. It’s the ultimate "Anti-Value" tool: it encourages developers to spend their "Build Time" playing cards with a cyborg cowboy instead of fixing their Dockerfile.

Created by Mohammad-Ali A'râbi (Docker Captain) & Gemini CLI

Dockerizing a Java 26 Project with Docker Init

Mohammad-Ali A'RÂBI — Tue, 31 Mar 2026 13:56:57 +0000

Docker Init was introduced in Docker Desktop 4.27, before LLMs became the default answer to everything. It's a "smart" interactive wizard that analyzes your project and generates:

A Dockerfile (multi-stage, production-ready)
A compose.yaml file
A .dockerignore file
A README.Docker.md with build and run instructions

What makes it valuable is that it's deterministic—not a probabilistic guess. It produces the same correct output every time, following Docker's own best practices.

Technical Requirements

Docker Desktop 4.27 or later

Create a New Project

I'm using a Spring Boot project. Because it's early Spring now and I haven't touched one in a while—so let's go.

Head to start.spring.io and create a project with:

Project: Maven
Language: Java
Spring Boot: 4.0.5 (or whatever the latest stable is)
Packaging: Jar
Java: 26

I used these coordinates, but pick your own:

Group: io.dockersecurity
Artifact: hello-wowlrd
Package Name: io.dockersecurity.hello-wowlrd

Download, unzip, and step into the directory:

cd hello-wowlrd

Run Docker Init

As my British friend say, "It's Docker, innit?"

docker init

The interactive wizard detects your Java project automatically. Accept "Java", confirm the source directory and Java version, and enter the port:

? What application platform does your project use? Java
? What's the relative directory (with a leading .) for your app? ./src
? What version of Java do you want to use? 26
? What port does your server listen on? 8080

Docker Init generates four files. The one that matters most is the Dockerfile:

# syntax=docker/dockerfile:1

################################################################################
# Stage 1: resolve and download dependencies
FROM eclipse-temurin:26-jdk-jammy as deps

WORKDIR /build

COPY --chmod=0755 mvnw mvnw
COPY .mvn/ .mvn/

RUN --mount=type=bind,source=pom.xml,target=pom.xml \
    --mount=type=cache,target=/root/.m2 ./mvnw dependency:go-offline -DskipTests

################################################################################
# Stage 2: build the application
FROM deps as package

WORKDIR /build

COPY ./src src/
RUN --mount=type=bind,source=pom.xml,target=pom.xml \
    --mount=type=cache,target=/root/.m2 \
    ./mvnw package -DskipTests && \
    mv target/$(./mvnw help:evaluate -Dexpression=project.artifactId -q -DforceStdout)-$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout).jar target/app.jar

################################################################################
# Stage 3: extract Spring Boot layers
FROM package as extract

WORKDIR /build

RUN java -Djarmode=layertools -jar target/app.jar extract --destination target/extracted

################################################################################
# Stage 4: minimal runtime image
FROM eclipse-temurin:26-jre-jammy AS final

ARG UID=10001
RUN adduser \
    --disabled-password \
    --gecos "" \
    --home "/nonexistent" \
    --shell "/sbin/nologin" \
    --no-create-home \
    --uid "${UID}" \
    appuser
USER appuser

COPY --from=extract build/target/extracted/dependencies/ ./
COPY --from=extract build/target/extracted/spring-boot-loader/ ./
COPY --from=extract build/target/extracted/snapshot-dependencies/ ./
COPY --from=extract build/target/extracted/application/ ./

EXPOSE 8080

ENTRYPOINT [ "java", "org.springframework.boot.loader.launch.JarLauncher" ]

This is already a proper multi-stage build: separate stages for dependency resolution, compilation, layer extraction, and a minimal runtime image with a non-root user. Gord would approve.

A Note on Java 26 Base Images

The generated Dockerfile references eclipse-temurin:26-jdk-jammy and eclipse-temurin:26-jre-jammy. Since Java 26 was just released, these Eclipse Temurin images may not be fully available on Docker Hub yet.

Swap them out for SAP Machine images instead—SAP's free OpenJDK distribution ships Java 26 on Ubuntu 24.04 (Noble Numbat):

sapmachine:26-jdk-ubuntu-noble
sapmachine:26-jre-ubuntu-noble

Find them on Docker Hub: hub.docker.com/_/sapmachine. Just replace eclipse-temurin with sapmachine in both FROM lines.

Build and Run

docker compose up --build

The generated compose.yaml is minimal:

services:
  server:
    build:
      context: .
    ports:
      - 8080:8080

The application starts, and immediately stops with exit code 0. That's expected: there's no HTTP endpoint to keep it alive.

Add a Controller

Create src/main/java/io/dockersecurity/hellowowlrd/HelloController.java:

package io.dockersecurity.hellowowlrd;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HelloController {

    @GetMapping("/")
    public String hello() {
        return "Hello, Docker Security!";
    }
}

Add the Spring Web dependency to pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

Build and run again:

docker compose up --build

Verify:

curl http://localhost:8080
# Hello, Docker Security!

See It Live — Jfokus 2026

I presented Docker Init and Docker security at Jfokus in Stockholm in February 2026. If you want to see the commands in action rather than reading about them, the full talk is on YouTube:

Conclusion

Java 26 just shipped and Docker Init handles it cleanly out of the box—multi-stage build, layer extraction, non-root user, bind mounts for caching. You get a production-ready Dockerfile in under a minute. When Eclipse Temurin catches up, swap the base images back. Until then, SAP Machine has you covered.

Docker Init is Gord's move. The rest of the Commandos handle what comes after.

The Docker Commandos

Docker Init is assigned to Commando 1: Gord. In the Docker Commandos workshop, each Docker security feature is taught through a character on a mission to defend Asgard from CVE monsters. The ten commandos are:

Gord — docker init: establish a secure base from day one ← you are here
Rothütle — SBOM: inventory every dependency in your image
Jack — Docker Scout: hunt CVEs across your supply chain
The Valkyrie — SBOM Attestations: cryptographically sign your component inventory
Artemisia — Docker Hardened Images: near-zero-CVE base images
Mina — VEX Exemptions: mark false-positive CVEs as not exploitable
RuinTan — VEX Attestations: attach signed exemptions to your image
Captain Ahab — Docker Bake: codify your entire build pipeline in one file
Evie — Cosign: sign images and attestations cryptographically
Agent Null — Zero-Day Defense: harden against unknown, unpatched threats

The workshop has been delivered at WeAreDevelopers World Congress, Jfokus, and Rabobank. More at dockersecurity.io/commandos.

The Complete Docker Read List: Q1 2026 Edition

Mohammad-Ali A'RÂBI — Thu, 26 Mar 2026 17:21:39 +0000

2026 has been phenomenal in the number of books published on Docker or by Docker Captains so far. So, I decided to compile the books published in the first quarter of 2026 into an article for more people to discover them.

You can also read the article here, which looks slightly better.

1️⃣ Black Forest Shadow: A Dark Fantasy Guide to Docker and Kubernetes Security

Author: Mohammad-Ali A'râbi (Docker Captain)

If you've ever thought learning about Kubernetes and container hardening was a bit dry, Mohammad-Ali A'râbi is here to prove you wrong. Black Forest Shadow is a highly creative, dark fantasy guide to Docker and Kubernetes security.

—Claude

What it's about: The book weaves complex concepts like runtime security, SBOM generation, and container hardening into an exciting narrative set in the mystical Black Forest of 1865.
Why you should read it: It transforms standard cybersecurity challenges—like tracking down CVEs and preventing lateral movement—into an immersive, story-driven adventure. It's ideal for developers and security engineers seeking a distinctive, memorable approach to DevSecOps.
Where to get it:

2️⃣ The Rust Programming Handbook: An End-to-end Guide to Mastering Rust Fundamentals

Author: Francesco Ciulla (Docker Captain)

Rust is the new C, and it's been on my list for 5 years now. Now, finally, I know which book to read to learn it. Written by my dear friend and fellow Docker Captain, Francesco Ciulla, who has been teaching Rust for many years now.

What it's about: This handbook takes you from foundational syntax to advanced features like memory safety and concurrency models. Crucially for this list, it includes dedicated, hands-on sections on Dockerizing and deploying your Rust applications!
Why you should read it: It bridges the gap between beginner tutorials and production-ready coding for low-level system components or high-performance web services.
Where to get it:
- Packt Publishing
- Walmart

3️⃣ Docker for Front-end Developers (Featuring React.js)

Author: Kristiyan Velkov (Docker Captain)

Front-end developers, rejoice! As a backend engineer, it has always been hard for me to onboard frontend people to Docker, because I spoke Klingon for them. My dear friend, Docker Captain Kristiyan Velkov, has done an awesome job writing a containerization guide specifically tailored to how front-end engineers think, build, and ship. I should say, it also looks good.

What it's about: Moving past backend-centric explanations, this book walks you through containerizing real-world applications (with a heavy focus on React). You'll learn how to write clean Dockerfiles, configure NGINX properly, implement multi-stage builds, and handle caching securely.
Why you should read it: It's a purely practical, visually-driven guide that teaches you how to take full ownership of your environments without getting bogged down in abstract backend theory.
Where to get it:

4️⃣ The Ultimate Docker Container Book (Fourth Edition)

Author: Dr. Gabriel N. Schenker

Hitting shelves on March 31, 2026, this absolute heavyweight of a book clocks in at over 750 pages and leaves no stone unturned. Jeez, I need an extra bookshelf just for this book's weight.

What it's about: It takes you from basic container concepts all the way to running production-grade platforms. The fourth edition places a massive new emphasis on security, enterprise governance, compliance, and AI-driven automation patterns.
Why you should read it: It is designed for system administrators, DevOps engineers, and architects who need to build and scale secure, future-ready container platforms across major cloud providers.
Where to get it:
- Packt Publishing

5️⃣ Docker: Das Praxisbuch für Entwickler und DevOps-Teams (5th Edition)

Authors: Bernd Öggl & Michael Kofler

For the German-speaking tech community, the definitive Docker reference guide gets a major Q1 2026 update.

What it's about: A comprehensive, 580+ page practical guide covering everything from setting up Docker to CI/CD pipelines, GitLab integration, Swarm, and Kubernetes orchestration.
Why you should read it: It's an excellent, hands-on resource that balances basic principles with advanced, modern use cases like modernizing legacy applications and working with specialized databases.
Where to get it:
- Rheinwerk Verlag

Honorable Mentions from 2025

Well, while researching the new 2026 Docker books, I stumbled upon a recent video by Bret Fisher interviewing the author of a rather interesting book. That inspired me to add this honorable mentions section. I promise my original intention wasn't to sneak my own book in here, but hey, it just happened!

Learn Docker in a Month of Lunches (Second Edition)

Author: Elton Stoneman

Published in 2025, this is the much-anticipated update to one of the most beloved Docker books on the market.

What it's about: A complete refresh of the classic guide. It breaks down Docker fundamentals into digestible, daily lessons. This edition covers multi-platform builds, the latest cloud container services, and navigating the modern Kubernetes ecosystem.
Why you should read it: If you are a beginner looking for a structured, manageable way to learn—or an experienced dev needing to catch up on years of ecosystem changes—this is the gold standard.
Where to get it:
- Manning Publications

Getting Started with Docker (2025 Edition)

Author: Nigel Poulton (Docker Captain)

Nigel Poulton's fast-paced introduction to Docker received a significant 2025 update, adding a dedicated chapter on running local LLMs with Docker Model Runner — including building a multi-container chatbot app.

What it's about: A streamlined, hands-on guide to container fundamentals, Docker Compose, and microservices — now with a practical AI chapter for developers who want to run models locally.
Why you should read it: It's the quickest path from zero to productive with Docker, and the new AI content makes it uniquely relevant for 2025 and beyond.
Where to get it:
- Leanpub

Docker and Kubernetes Security

Author: Mohammad-Ali A'râbi (Docker Captain)

A DevOps Dozen 2025 finalist for Best DevOps Book of the Year, this practical guide covers container security across the full development lifecycle—from build to production.

What it's about: Ten chapters spanning supply chain security (SBOMs, OCI 1.1 attestations, vulnerability scanning with Docker Scout, Trivy, and Snyk) and runtime protection with Falco, RBAC, and Kubernetes pod security.
Why you should read it: It is the most comprehensive hands-on resource available for teams serious about securing their container platforms end-to-end.
Where to get it:
- DockerSecurity.io
- Amazon

Conclusion

The Docker and Kubernetes ecosystem has never had a stronger reading list, to be completely humble! From dark fantasy security guides to hands-on Rust handbooks and front-end containerization primers, Q1 2026 proves that the community is producing more creative, accessible, and production-focused material than ever before.

Stay tuned as more books are coming in Q2. I'm involved in reviewing one of them, so I'm excited for the quarter to come.

Have a book that should be on this list? Leave a comment.

Reflecting on 2025: Author Debut, New Horizons, and Milestones

Mohammad-Ali A'RÂBI — Fri, 02 Jan 2026 17:16:36 +0000

In 2025, I reached a milestone that reshaped my professional trajectory: I published my first book, Docker and Kubernetes Security. What began as a long-term writing project evolved into a broader body of work—spanning technical articles, conference talks, community initiatives, and a narrative-driven security series. The book was later nominated for the Best DevOps Book of 2025 Award, placing it alongside established titles such as The Phoenix Project Graphic Novel and marking a defining moment in my journey as an author and educator.

TL;DR: Numbers, Numbers, Numbers

Here's the year at a glance:

DEV.to articles published: 37 📝
Medium articles published: 31 📝
Of these, 24 were the Container Security Advent Series, available on DEV.to and Medium.
Git Weekly LinkedIn newsletters written: 18 📰
Conference/meetup talks delivered: 4 🎤
Book published: 1 📚
- "Docker and Kubernetes Security" (nominated for Best DevOps Book of 2025 Award) 🏆

Docker and Kubernetes Security: A Milestone Achieved
Black Forest Shadows: Container Security Advent Series
Blog Posts
Conference and Meetup Talks
Docker Meetup Black Forest and Cloud Native Freiburg
LFX Mentorship Program
Podcast Appearances
2026 Goals
Final Thoughts

Docker and Kubernetes Security: A Milestone Achieved

The book took almost two years to write and half a year to publish. Together with the book, I launched DockerSecurity.io.

Get the free sample chapter: DockerSecurity.io/free-chapter
Get an ebook or a signed copy with 40% discount using code YEAR2025: buy.DockerSecurity.io
Locate your Amazon store link: DockerSecurity.io

The website has a blog of its own, with the following articles published in 2025:

Docker and Kubernetes Security - The Best DevOps Book of the Year Finalist - Docker and Kubernetes Security

From supply chain to runtime: build safer images, lock down clusters, instrument logging & audit trails, and stay ahead of emerging threats. Learn from Mohammad-Ali A'râbi's comprehensive guide.

dockersecurity.io

Black Forest Shadows: Container Security Advent Series

In December, I published a 24-day Advent series on container security, titled "Black Forest Shadows." The series was published both on DEV.to and Medium.

The series follows stories of Gord and Jack, among others, as they navigate Black Forest of 1865 and face shadowy monsters called "CVEs". The series combines folklore with practical container security tips that mimic the in-world challenges.
You have met these characters before: on my book's back cover, and in the preface.

Also, I'm compiling the entire Advent series into a book, which will be published in early 2026.

Mohammad-Ali A'RÂBI

Dec 1 '25

Day 1 — Beginning the Security Advent: Defense in Depth (The Red Bear Inn)

#docker #adventofcode #security #kubernetes

Comments

2 min read

Blog Posts

Posts about Docker and container security:

Docker Exercises: Part I: A set of exercises that I prepared for a Docker workshop.
Run GenAI Models Locally with Docker Model Runner: An introduction to Docker Model Runner.
Docker Deep Dive Workshop at WeAreDevelopers: A writeup on the workshop I did in WAD Berlin.
The Largest NPM Supply Chain Attack Ever and How to Defend Against It: About the NPM supply chain attack of September 2025.
I Just Published My Book: Docker and Kubernetes Security: About my book.
Open-Source Docker Book for Hacktoberfest: A new project for Hacktoberfest.
Top 5 Container Security Books in 2026: A curated list of container security books for 2026.
Docker Hardened Images Are Free.

Posts about git:

20 Git Tips for 20 Years of Git: Git Yearly issue of 2025.
Git Submodule Update: How to update your git submodules.
7 Basic Git Commands: Seven git commands everyone should know.
How to Fixup a Commit: How to create a "fixup" commit.

Conference and Meetup Talks

In 2025, I delivered four talks at various conferences and meetups:

Bake a Docker Cake at PlatformCon (June 2025)
Docker Deep Dive Workshop at WeAreDevelopers World Congress in Berlin (July 2025)
5 Docker Commandos at #cTENcf Birthday Bash Freiburg (October 2025)
Node.js Supply Chain Security + dhi at Node.js Meetup #46 in Berlin (November 2025)

Docker Meetup Black Forest and Cloud Native Freiburg

The Docker Meetup Black Forest continued to thrive in 2025, with regular events held at JobRad's campus in Freiburg. We were able to bring together Docker enthusiasts from the region and beyond to share knowledge and experiences. We were honored to welcome the following Docker Captains as speakers:

Timo Stark, traveling to Freiburg from Nuremberg
Jonas Scholz, traveling to Freiburg from Karlsruhe
Lize Raes, traveling to Freiburg from Basel, Switzerland
Julian König, local Docker Captain from Freiburg

In addition, we joined our forces together with DevOps Meetup Freiburg to create the Cloud Native Freiburg group, which is a CNCF Chapter. I also launched Dockburg.com as a community hub for both meetup communities.

LFX Mentorship Program

In 2025, I had the privilege of joining the Linux Foundation's LFX Mentorship Program as a mentor. Here is my mentorship profile. There are three graduated mentees listed under my profile, as well as 24 active mentees.

Podcast Appearances

In 2025, I had the opportunity to appear on a couple of podcasts and live-streams:

The latter appearances were part of the Docker Captains Summit 2025.

2026 Goals

As we enter 2026, I already have three confirmed talks at major conferences:

Dockerize Securely: SBOMs + Attestations + Bake at Jfokus 2026 in Stockholm, Sweden (February 3, 2026)
Java Supply Chain Security with Docker at JCON Europe 2026 in Cologne, Germany (April 20, 2026)
Defense Against the Dark Arts: NPM Attack at EnterJS 2026 in Mannheim, Germany (June 16, 2026)

I'm also working on two articles for JAVAPRO magazine, to be published in early 2026 (print version distributed at JCON Europe 2026).

Apart from these, here are my goals for 2026:

Complete and publish the "Black Forest Shadows" advent series as a book. 📖
Continue to grow the Docker and Kubernetes Security community through meetups and online content. 🌐
Become a CNCF Ambassador. 🤝
Start with my Git Kaizen project, inspired by my Git Weekly series. 🥋

What else should I put on the list? Let me know!

Final Thoughts

Looking back, 2025 was the year I stopped treating writing, speaking, and community work as side projects and started approaching them as a coherent, long-term craft. It clarified where I create the most value: at the intersection of engineering, security, and storytelling. Going into 2026, the focus is no longer on proving that I can ship—but on refining, deepening, and scaling what already works, while staying curious enough to explore new formats and ideas.

Day 24 — Design for Resilience (The Last Stand)

Mohammad-Ali A'RÂBI — Wed, 24 Dec 2025 10:11:00 +0000

As Angra advances, Gord whispers to Rothütle, "You stand here and not there, and that's our victory today."

Then she raises her sword.

YAML gets close to Rothütle, holding his dagger ready.

"You brought a dagger to a sword fight," Rothütle says, smirking.

Then as YAML marches forward, Rothütle swings his sword and cuts off YAML's hand.

"You have a long hand, but you're short-sighted," Rothütle adds, stepping back. "You let Angra creep into your mind too easily."

YAML steps back in pain, clutching his stump.

Jack gets furious, and Gord punches him in the face, knocking him to the ground.

Angra roars, and a dark mist envelops the area. Angra, as a solid shadow, now aflame, comes forward and starts attacking Gord.

Rothütle steps forward, blocking the shadow's strikes with his shield. But Gord stops him.

"Run," she says. "You need to live."

Gord stabs the shadow with her sword, but it gets stuck in the shadow's body.

The shadow stabs Gord back. She stands still.

Jack attacks Rothütle from behind, but something penetrates the air and hits Jack in the shoulder.

The dragon-archer arrives, and Jack looks at the dragon-archer in shock.

"My mission here is complete," Jack says, and flees into the forest.

The shadow starts launching fireballs around.

A fireball heads toward Rothütle, he blocks it with the shield, but a smaller one hits his arms, burning him.

"Run!" the dragon-archer shouts to Rothütle.

"I'll hold them off."

"Don't despair," Gord says weakly, "We have won this day."

Then she stands up, pulls her sword off the shadow, and swings it at the shadow, chopping its head off.

The shadow roars and turns into twelve smaller shadows.

Gord looks at Rothütle, exhausted, as if she's not ready to fight anymore.

Then she nods to the dragon. He grabs Rothütle and flies into the sky.

"No!" Rothütle shouts, looking back at Gord, who is fighting the shadows alone.

As they ascend, Rothütle faints, exhausted from his burns...

Security Tip #24 — Design for Resilience

Not every system can be saved.

When compromise becomes inevitable, sometimes the goal is no longer to win —

it is to ensure that what matters can escape.

Protect identities, backups, and recovery paths.
Accept that some components must be sacrificed.
Prioritize the survival of critical assets.

A secure system isn't the one that never falls.
It's the one that lets the future continue.

The story doesn't end here...

Stay tuned for the book Black Forest Shadow, coming out in February 2025.

Day 23 — Secure By Design (Black Forest Shadow)

Mohammad-Ali A'RÂBI — Tue, 23 Dec 2025 12:58:44 +0000

Gord and Rothütle take Jack to the castle. As they enter the courtyard, YAML emerges from the shadows, holding a small box.

"Looking for this?" he says, handing the box to Gord.

Then the sky grows dark, and a cold wind sweeps through the forest.

A large dark figure starts to materialize in front of them.

"It's Angra," Gord whispers.

"The Architect is free now," Jack says, stepping back.

Then Jack and YAML go and stand beside the dark figure.

"YAML was on my side all along," Angra's voice echoes through the stone walls.

"So your tall friend is not so useless after all," Rothütle mutters.

"Don't bet on it," Gord replies.

"You can't stop me now," Angra continues.

"So Jack was just a distraction," Rothütle says, realizing the truth.

"We were playing into Angra's hands all along."

"So, you have a miner, a useless moving tower, and some shadows that vanish in torchlight," Gord shouts, facing Angra.

"That makes you unstoppable?"

Angra snarls. Jack picks up an axe and YAML draws his dagger.

Tip of the day: Misconfiguration is an attacker's best friend. Secure your systems by design.

Security Tip #23 — Secure by Design

Angra wins not by strength, but by exploiting weaknesses in the defenders' design.

YAML, who was supposed to be the guard, opened the door for the enemy.

It's the same with your YAML configurations and infrastructure as code. If misconfigured, they can open the door to attackers.

Here are some best practices to ensure your systems are secure by design:

Use secure defaults: Start with the most restrictive settings and only open up what is necessary.
Implement the principle of the least privilege: Ensure that users and services have only the permissions they need to perform their tasks.
Pod Security Standards: There are three predefined Pod Security Standards in Kubernetes: Privileged, Baseline, and Restricted. Use the Restricted profile for production workloads to minimize security risks and only allow necessary capabilities.
Drop unnecessary capabilities: Docker containers run with a default set of Linux capabilities. You can drop all capabilities and only add back the ones you need using the cap_drop and cap_add options in your Docker Compose or Kubernetes manifests.

Pod Security Standards Example

apiVersion: v1
kind: Namespace
metadata:
  name: default
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted

Here, the default namespace is configured to enforce the Baseline Pod Security Standard and audit against the Restricted standard.
This means that any pods created in this namespace must comply with the Baseline standard, and any violations of the Restricted standard will be logged for auditing purposes.

Dropping Unnecessary Capabilities Example

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      capabilities:
        drop: ["ALL"]
        add: ["NET_ADMIN"]

In this example, the Nginx container drops all Linux capabilities and only adds back the NET_ADMIN capability, which is necessary for network administration tasks.

Learn Docker and Kubernetes Security

These two examples were taken from my book Docker and Kubernetes Security, currently 40% off.

Chapter 6 covers securing containers in Kubernetes, including Pod Security Standards and capability management.

🔗 buy.DockerSecurity.io

💬 Code: BLACKFOREST25

👉 To have the story delivered to your inbox every day in December, subscribe to my Medium publications.

Forem: Mohammad-Ali A'RÂBI

Seven Docker Tips Every Engineer Should Know (from Docker Captains)

1. Start New Projects with Docker Init

2. Clean Up Docker Disk Usage Carefully

3. Use Multi-Stage Builds

4. Choose Lightweight, Version-Pinned Base Images

5. Use Docker Scout Quickview

6. Use .dockerignore

7. Limit Container Privileges

Conclusion

My Cloud-Native Journey: Docker, Kubernetes, Security, and Open Source

1. Build a Cloud-Native Community

2. Write the Book (and Tell a Story)

3. Black Forest Commandos: Talks and Workshops

4. Mentor the Next Generation

5. Contribute to the Core

Impact at a Glance

Speaking & Training Engagements

Pillars of Impact

Conclusion: The Path Ahead

Book Review: Operational AI with Docker

Authors

The Book's Final Act: From MCP to KAgent

Final Thoughts

Swiss Jass: Commandos Edition is Now on the Google Play Store

Characters

Gameplay

Conclusion

Generating SBOM with Docker Scout

The Mission: Who Lives in Asgard?

Technical Requirements

Generate the SBOM

Exporting to Standard Formats

Exercise: Comparing Base Images

What's Next?

7 Noob Git Tips

Tip 1. Delete Remote Branch

Tip 2. Rename or Move a File

Tip 3. Rebase When Pulling Master

Tip 4. Git Default Branch

Tip 5. Stash Message

Tip 6. Auto-Stash

Tip 7. Push Default Branch

Securing Asgard: Why I Built a Card Game Suite for Docker Security

What I Built

The Lore: Docker Commandos & Black Forest Shadow

The Games:

Demo

The Tactical Siege

Blackjack with Jack

Asgardian Jass

Code

How I Built It

Prize Category

Dockerizing a Java 26 Project with Docker Init

Technical Requirements

Create a New Project

Run Docker Init

A Note on Java 26 Base Images

Build and Run

Add a Controller

See It Live — Jfokus 2026

More Links

Conclusion

The Docker Commandos

The Complete Docker Read List: Q1 2026 Edition

1️⃣ Black Forest Shadow: A Dark Fantasy Guide to Docker and Kubernetes Security

2️⃣ The Rust Programming Handbook: An End-to-end Guide to Mastering Rust Fundamentals

3️⃣ Docker for Front-end Developers (Featuring React.js)

4️⃣ The Ultimate Docker Container Book (Fourth Edition)

5️⃣ Docker: Das Praxisbuch für Entwickler und DevOps-Teams (5th Edition)

Honorable Mentions from 2025

Learn Docker in a Month of Lunches (Second Edition)

Getting Started with Docker (2025 Edition)

Docker and Kubernetes Security

Conclusion

Reflecting on 2025: Author Debut, New Horizons, and Milestones

TL;DR: Numbers, Numbers, Numbers

Table of Contents

Docker and Kubernetes Security: A Milestone Achieved