Show the full pipeline: "CI builds with BuildKit, runs tests in the image, scans with Trivy, tags with the git SHA, and pushes to ECR. Deployment pulls the specific SHA tag — never latest — and rolls out with health checks."
Pipeline stages: build the image (docker build with build args for version/commit), run tests inside a container (docker run with test command or docker compose for integration tests), scan for vulnerabilities, tag with version and commit SHA, push to a registry (Docker Hub, ECR, GCR, GHCR), and deploy (pull and restart, or update orchestrator). Best practices: use BuildKit for parallel builds and cache mounts, cache layers between CI runs (--cache-from), use immutable tags (never overwrite latest in production), and sign images. Strong candidates discuss: multi-platform builds with buildx, registry authentication in CI, image promotion between environments (dev → staging → prod tags), and the difference between building in CI versus building in Docker (Docker-in-Docker vs Docker-out-of-Docker).
Senior DevOps question. Candidates who build and push without testing or scanning are shipping unvalidated images. Those who understand layer caching in CI, immutable tags, and image promotion have production-grade pipelines.