mirror of
https://github.com/NVIDIA/NemoClaw.git
synced 2026-07-03 03:37:16 +00:00
## Summary - Mirror `.gitignore` security patterns into `.dockerignore` to prevent sensitive files from being sent to the Docker daemon and permanently embedded in image layers - Add exclusions for: `.env.*` variants, `.npmrc`, `*.key`, `*.pem`, `*.pfx`, `*.p12`, SSH keys (`*_ecdsa`, `*_ed25519`, `*_rsa`), credential JSON files, `.ssh/`, `secrets/`, and other sensitive patterns ## Why The `.dockerignore` only excluded `.env` (exact match) and basic build artifacts. Files matching `.env.local`, `.env.production`, `.npmrc` (npm registry auth tokens), private keys, certificates, and credential files could be silently included in the Docker build context. This is especially impactful for the E2E Dockerfile which does `COPY . /workspace`, embedding the full repo (minus `.dockerignore` exclusions) into the image. Locally-created secrets that match `.gitignore` but not `.dockerignore` would never be committed to git but could still leak into Docker images. Related: issue #774, PR #1075 (partial fix that added `.env` but missed variant patterns). ## What changed - `.dockerignore` — reorganized into sections (build artifacts, VCS/CI, OS metadata, security, project-specific); added 30+ sensitive file patterns mirroring `.gitignore`'s security section ## Test plan - [x] All pre-commit and pre-push hooks pass - [ ] `docker build .` still succeeds (`.dockerignore` only excludes files that should never be in the build context) - [ ] `touch .env.local && docker build --no-cache . 2>&1 | head` — verify `.env.local` is NOT sent in build context 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Expanded container ignore rules to omit additional sensitive files and credentials, environment variants, build and cache artifacts, test/coverage output, OS metadata, and common key/certificate/token formats—reducing image size and preventing accidental inclusion of secrets. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
49 lines
632 B
Text
49 lines
632 B
Text
# Build artifacts and caches
|
|
node_modules
|
|
/dist
|
|
*.pyc
|
|
__pycache__
|
|
.pytest_cache
|
|
.venv
|
|
.ruff_cache
|
|
.mypy_cache
|
|
*.egg-info
|
|
coverage/
|
|
|
|
# VCS and CI metadata
|
|
.git
|
|
|
|
# OS metadata
|
|
.DS_Store
|
|
desktop.ini
|
|
Thumbs.db
|
|
|
|
# Security: secrets, credentials, and keys
|
|
# Mirror .gitignore security patterns to prevent sensitive files from
|
|
# being sent to the Docker daemon and permanently baked into image layers.
|
|
.env
|
|
.env.*
|
|
.envrc
|
|
.npmrc
|
|
.netrc
|
|
.pypirc
|
|
.direnv/
|
|
.ssh/
|
|
secrets/
|
|
.credentials
|
|
*.key
|
|
*.pem
|
|
*.pfx
|
|
*.p12
|
|
*.jks
|
|
*.keystore
|
|
*.tfvars
|
|
*_ecdsa
|
|
*_ed25519
|
|
*_rsa
|
|
credentials.json
|
|
key.json
|
|
secrets.json
|
|
secrets.yaml
|
|
service-account*.json
|
|
token.json
|