CMDs cannot take build args Use ‘sharing=locking’ for Go caches Use multi-stage builds Use scratch or alpine or distroless as the final image Run as nonroot