Files
nick-doc/Issues/ISSUE-075-backend-dockerignore-whitelists-env-development-into-prod-image.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.5 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
075 Backend: .dockerignore whitelists .env.development into production image high Security
security
backend
secrets
ci-cd
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: .dockerignore whitelists .env.development into production image

Severity: high Domain: Security Labels: security, backend, secrets, ci-cd

Description

backend/.dockerignore:14 contains !.env.development, which negates the .env* ignore rule and causes .env.development (with live secrets) to be copied into every production Docker image. Any container pull or image inspection exposes the credentials.

Options

  1. Remove the !.env.development whitelist so no env file is copied into images.
  2. Use a dedicated .env.production injected at runtime only.
  3. Both: strip env files from image and inject secrets via runtime env.

Recommendation

Remove the whitelist and never copy env files into images; inject secrets at runtime. Pair with rotating the leaked secrets (see ISSUE-074) and fixing backend config to not load .env.development unconditionally (see ISSUE-101).

Affected Files

  • backend/.dockerignore:14

References