Missing .dockerignore — secrets and .git copied into Docker image

## Bug

**File:** `Dockerfile` (line 8: \`COPY . .\`)

There is no \`.dockerignore\` file. \`COPY . .\` copies everything into the image including:
- \`.git/\` (full repo history, potentially with secrets in commits)
- \`.env\` (environment variables with secrets)
- \`config.json\` (may contain JWT secrets, webhook tokens)
- \`data/\` and \`*.db\` (user data)
- \`test/\`, \`extension/\`, \`docs/\` (unnecessary in production)

Additionally, the container **runs as root** (no \`USER\` directive).

## Impact

- Secrets baked into Docker image layers — anyone with image access can extract them
- Running as root increases blast radius if a code execution vulnerability is exploited

## Suggested Fix

Create a \`.dockerignore\`:
\`\`\`
.git
.env
config.json
data/
*.db
test/
dashboard/node_modules/
extension/
docs/
*.zip
\`\`\`

Add a non-root user to the Dockerfile:
\`\`\`dockerfile
RUN addgroup -S clawmark && adduser -S clawmark -G clawmark
RUN chown -R clawmark:clawmark /app /data
USER clawmark
\`\`\`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing .dockerignore — secrets and .git copied into Docker image #249

Bug

Impact

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Missing .dockerignore — secrets and .git copied into Docker image #249

Description

Bug

Impact

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions