fix: replace COPY . . with explicit directory copies in Dockerfile

T-DevH · T-DevH · commit 1300ec345f46 · 2025-11-24T13:08:26.000-08:00
- Replace insecure COPY . . with explicit COPY src/ and COPY data/config/
- Prevents copying sensitive files (.env, secrets, git, tests, docs)
- Addresses CWE-668 and CWE-497 security vulnerabilities
- Maintains .dockerignore as defense-in-depth measure
diff --git a/Dockerfile b/Dockerfile
@@ -66,10 +66,12 @@ RUN apt-get update && apt-get install -y \
 COPY --from=backend-deps /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
 COPY --from=backend-deps /usr/local/bin /usr/local/bin
 
-# Copy application code
-# Security: .dockerignore ensures sensitive files (.env, secrets, git, etc.) are excluded
-# Only files not in .dockerignore will be copied to the container
-COPY . .
+# Copy application code (explicitly copy only necessary directories)
+# Security: Explicitly copy only required source code to prevent sensitive data exposure
+# .dockerignore provides additional protection as a defense-in-depth measure
+COPY src/ ./src/
+# Copy guardrails configuration (required for NeMo Guardrails)
+COPY data/config/guardrails/ ./data/config/guardrails/
 
 # Build arguments for version injection
 ARG VERSION=0.0.0
