From 36a4bf5dc96812d5761e7b416d8d23261c7bab6b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 15 May 2026 20:06:10 +0000
Subject: [PATCH 1/2] Initial plan


From c2a4b495b000598db074d9d5ad8eb2c049c7a8c2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 15 May 2026 20:09:06 +0000
Subject: [PATCH 2/2] security: tighten Docker build contexts and .dockerignore
 rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix apps/marketing-site/Dockerfile line 6: replace glob
  `COPY package.json package-lock.json* ./` with explicit
  `COPY package.json package-lock.json ./` (resolves docker:S6470)

- Expand apps/marketing-site/.dockerignore to exclude secrets,
  private keys, .sops.yaml, .git, test tooling, dev config files,
  and OS artefacts. Existing entries reorganised with comments.

- Expand services/core-api/.dockerignore to exclude secrets,
  private keys, .sops.yaml, .git, test projects, test results,
  coverage outputs, solution metadata, and OS artefacts.

Build contexts confirmed from docker-compose.yml:
  marketing-site → ./apps/marketing-site
  core-api       → ./services/core-api

Both .dockerignore files sit at their effective build context roots.

Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/b1673847-1861-4418-8ff7-da30504ff961

Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
---
 apps/marketing-site/.dockerignore | 49 ++++++++++++++++++++++++++-----
 apps/marketing-site/Dockerfile    |  2 +-
 services/core-api/.dockerignore   | 34 +++++++++++++++++++++
 3 files changed, 77 insertions(+), 8 deletions(-)

diff --git a/apps/marketing-site/.dockerignore b/apps/marketing-site/.dockerignore
index 8db4e394..0ac4a4ec 100644
--- a/apps/marketing-site/.dockerignore
+++ b/apps/marketing-site/.dockerignore
@@ -1,8 +1,43 @@
-node_modules
-dist
-.astro
-.git
+# Dependencies and build outputs
+node_modules/
+dist/
+.astro/
+build/
+coverage/
+
+# Version control
+.git/
+.gitignore
+
+# Environment and secrets
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx
+*.crt
+*.csr
+*.agekey
+secrets/
+.sops.yaml
+
+# Development and test tooling (not needed at build time)
+tests/
+playwright-report/
+test-results/
+playwright.config.ts
+vitest.config.ts
+eslint.config.js
+.prettierrc
+.trivyignore
+nginx.conf
+
+# Documentation
 *.md
-.env*
-playwright-report
-test-results
+
+# OS and editor artefacts
+.DS_Store
+*.suo
+*.user
+Thumbs.db
diff --git a/apps/marketing-site/Dockerfile b/apps/marketing-site/Dockerfile
index cb66d1cd..7e23e0a2 100644
--- a/apps/marketing-site/Dockerfile
+++ b/apps/marketing-site/Dockerfile
@@ -3,7 +3,7 @@
 FROM node:26-alpine@sha256:e71ac5e964b9201072425d59d2e876359efa25dc96bb1768cb73295728d6e4ea AS builder
 WORKDIR /app
 
-COPY package.json package-lock.json* ./
+COPY package.json package-lock.json ./
 RUN npm ci --ignore-scripts
 
 COPY . .
diff --git a/services/core-api/.dockerignore b/services/core-api/.dockerignore
index 59672943..55983bbe 100644
--- a/services/core-api/.dockerignore
+++ b/services/core-api/.dockerignore
@@ -1,2 +1,36 @@
+# Build outputs
 **/bin/
 **/obj/
+**/TestResults/
+**/coverage/
+
+# Test projects (not needed for production build)
+tests/
+
+# Version control
+.git/
+.gitignore
+
+# Environment and secrets
+.env
+.env.*
+*.pem
+*.key
+*.p12
+*.pfx
+*.crt
+*.csr
+*.agekey
+secrets/
+.sops.yaml
+
+# Documentation and solution metadata
+*.md
+*.slnx
+
+# OS and editor artefacts
+.DS_Store
+*.suo
+*.user
+*.DotSettings.user
+Thumbs.db