Use .dockerignore to prevent leaking secrets

One Paragraph Explainer

The Docker build command copies the local files into the build context environment over a virtual network. Be careful - development and CI folders contain secrets like .npmrc, .aws, .env files and other sensitive files. Consequently, Docker images might hold secrets and expose them in unsafe territories (e.g. Docker repository, partners servers). In a better world the Dockerfile should be explicit about what is being copied. On top of this include a .dockerignore file that acts as the last safety net that filters out unnecessary folders and potential secrets. Doing so also boosts the build speed - By leaving out common development folders that have no use in production (e.g. .git, test results, IDE configuration), the builder can better utilize the cache and achieve better performance

Code Example – A good default .dockerignore for Node.js

.dockerignore

**/node_modules/
**/.git
**/README.md
**/LICENSE
**/.vscode
**/npm-debug.log
**/coverage
**/.env
**/.editorconfig
**/.aws
**/dist

Code Example Anti-Pattern – Recursive copy of all files

Dockerfile

FROM node:12-slim AS build

WORKDIR /usr/src/app
# The next line copies everything
COPY . .

# The rest comes here

One Paragraph Explainer​

Code Example – A good default .dockerignore for Node.js​

Code Example Anti-Pattern – Recursive copy of all files​

One Paragraph Explainer

Code Example – A good default .dockerignore for Node.js

Code Example Anti-Pattern – Recursive copy of all files