fix(HMS-3914): harden dockerfile

Add a policy to ignore by default from .dockerignore file.

Add specific ignore at the end of .dockerignore on prevention
of future changes.

Specifically copy only the necessary files and directories.

Credits on: insights-rbac contributors

Signed-off-by: Alejandro Visiedo <[email protected]>
Co-authored-by: Christian Heimes <[email protected]>
Signed-off-by: Alejandro Visiedo <[email protected]>

.dockerignore

@@ -1,18 +1,24 @@
-.DS_Store
-.cicd_bootstrap.sh
-secrets
-.venv
-bin
-tmp.*/**
-**/__debug_bin
+# Ignore by default
+**
 
-*.log
-
-configs
+# Add exceptions
+!api
+!cmd
+!go.mod
+!go.sum
+!internal
+!Makefile
+!tools
+tools/bin
+!scripts/mk
+!scripts/db/migrations
 !configs/config.example.yaml
+!.git
+
+# NOTE DO NOT ADD CHANGES AFTER THIS LINE
 
-# File generated when running unit tests
-coverage.out
+# Specific ignore
+.docker
+.podman
+.kube
 
-# NOTE: .git directory is not listed here. `go build` needs the full `.git`
-# directory to include VCS information in go binaries.

build/package/Dockerfile

@@ -6,7 +6,14 @@ LABEL idmsvc-backend=builder
 # https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant
 ENV OPENSSL_FORCE_FIPS_MODE=1
 WORKDIR /go/src/app
-COPY . .
+COPY Makefile go.mod go.sum .
+COPY api api
+COPY cmd cmd
+COPY internal internal
+COPY scripts/mk scripts/mk
+COPY tools tools
+COPY .git .git
+
 USER 0
 RUN git log -1
 RUN make get-deps build