Bake a Docker Cake

Docker has evolved far beyond simple containerization. In this talk, Mohammad-Ali A'rabi presents 10 hidden or lesser-known Docker commands and workflows that improve development, security, supply chain visibility, and local AI experimentation.

The session covers vulnerability scanning, Software Bill of Materials (SBOMs), signed images and attestations, debugging workflows, and running local AI models through Docker.

The 10 Commands and Workflows

1. docker bake / docker buildx bake: Manages complex image builds with HCL or JSON configuration, variables, targets, and repeatable build definitions.
2. docker init: Generates project-specific Docker starter files, including a Dockerfile, docker-compose.yaml, .dockerignore, and README.
3. Ask Gordon / docker ai: Lets users ask Docker-related questions from the CLI and can also run as an MCP server for LLM-based Docker assistance.
4. docker scout: Scans container images for vulnerabilities and gives remediation recommendations for CVEs.
5. docker debug: Starts a debugging sidecar with tools such as vim, so running or stopped containers can be inspected without bloating the original image.
6. docker sbom: Generates a Software Bill of Materials that lists packages, dependencies, and licenses inside a container image.
7. Build-time SBOM attestations: Uses Buildx flags such as --sbom=true to generate SBOMs during the build, including build-stage dependencies that may not exist in the final runtime image.
8. Signing Docker images: Uses cosign to sign images, prove integrity, and show that an image has not been tampered with.
9. Signing SBOM attestations: Uses cosign to sign exported SBOM files or attestations and push them to a registry alongside the image.
10. docker model runner / docker model run: Runs LLMs locally through Docker, supporting interactive chat and local AI application development.