NemoClaw/.dockerignore
Aaron Erickson 🦞 58365315e5
fix(security): add missing sensitive file patterns to .dockerignore (#1994)
## Summary
- Mirror `.gitignore` security patterns into `.dockerignore` to prevent
sensitive files from being sent to the Docker daemon and permanently
embedded in image layers
- Add exclusions for: `.env.*` variants, `.npmrc`, `*.key`, `*.pem`,
`*.pfx`, `*.p12`, SSH keys (`*_ecdsa`, `*_ed25519`, `*_rsa`), credential
JSON files, `.ssh/`, `secrets/`, and other sensitive patterns

## Why
The `.dockerignore` only excluded `.env` (exact match) and basic build
artifacts. Files matching `.env.local`, `.env.production`, `.npmrc` (npm
registry auth tokens), private keys, certificates, and credential files
could be silently included in the Docker build context. This is
especially impactful for the E2E Dockerfile which does `COPY .
/workspace`, embedding the full repo (minus `.dockerignore` exclusions)
into the image.

Locally-created secrets that match `.gitignore` but not `.dockerignore`
would never be committed to git but could still leak into Docker images.

Related: issue #774, PR #1075 (partial fix that added `.env` but missed
variant patterns).

## What changed
- `.dockerignore` — reorganized into sections (build artifacts, VCS/CI,
OS metadata, security, project-specific); added 30+ sensitive file
patterns mirroring `.gitignore`'s security section

## Test plan
- [x] All pre-commit and pre-push hooks pass
- [ ] `docker build .` still succeeds (`.dockerignore` only excludes
files that should never be in the build context)
- [ ] `touch .env.local && docker build --no-cache . 2>&1 | head` —
verify `.env.local` is NOT sent in build context

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Expanded container ignore rules to omit additional sensitive files and
credentials, environment variants, build and cache artifacts,
test/coverage output, OS metadata, and common key/certificate/token
formats—reducing image size and preventing accidental inclusion of
secrets.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:18:36 -07:00

49 lines
632 B
Text

# Build artifacts and caches
node_modules
/dist
*.pyc
__pycache__
.pytest_cache
.venv
.ruff_cache
.mypy_cache
*.egg-info
coverage/
# VCS and CI metadata
.git
# OS metadata
.DS_Store
desktop.ini
Thumbs.db
# Security: secrets, credentials, and keys
# Mirror .gitignore security patterns to prevent sensitive files from
# being sent to the Docker daemon and permanently baked into image layers.
.env
.env.*
.envrc
.npmrc
.netrc
.pypirc
.direnv/
.ssh/
secrets/
.credentials
*.key
*.pem
*.pfx
*.p12
*.jks
*.keystore
*.tfvars
*_ecdsa
*_ed25519
*_rsa
credentials.json
key.json
secrets.json
secrets.yaml
service-account*.json
token.json