--- issue: 075 title: "Backend: .dockerignore whitelists .env.development into production image" severity: high domain: Security labels: [security, backend, secrets, ci-cd] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: .dockerignore whitelists .env.development into production image **Severity:** high **Domain:** Security **Labels:** security, backend, secrets, ci-cd ## Description `backend/.dockerignore:14` contains `!.env.development`, which negates the `.env*` ignore rule and causes `.env.development` (with live secrets) to be copied into every production Docker image. Any container pull or image inspection exposes the credentials. ## Options 1. Remove the `!.env.development` whitelist so no env file is copied into images. 2. Use a dedicated `.env.production` injected at runtime only. 3. Both: strip env files from image and inject secrets via runtime env. ## Recommendation Remove the whitelist and never copy env files into images; inject secrets at runtime. Pair with rotating the leaked secrets (see ISSUE-074) and fixing backend config to not load `.env.development` unconditionally (see ISSUE-101). ## Affected Files - `backend/.dockerignore:14` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-50 - [[ISSUE-074-backend-env-development-committed-with-live-telegram-and-smtp-s|ISSUE-074]] - [[ISSUE-101-backend-config-loads-env-development-unconditionally|ISSUE-101]]