fix(HMS-3914): harden dockerfile

Add a policy to ignore by default from .dockerignore file.
As .git is not copied, the printing out the last commit is
made from the container-build rule. For internal CI/CD we
can track the repository related state by the image tag which is
the short hash of the repository.

Add specific ignore at the end of .dockerignore on prevention
of future changes.

Credits on: insights-rbac contributors

Signed-off-by: Alejandro Visiedo <[email protected]>

.dockerignore

@@ -1,18 +1,23 @@
-.DS_Store
-.cicd_bootstrap.sh
-secrets
-.venv
-bin
-tmp.*/**
-**/__debug_bin
+# Ignore by default
+**
 
-*.log
-
-configs
+# Add exceptions
+!api
+!cmd
+!go.mod
+!go.sum
+!internal
+!Makefile
+!tools
+tools/bin
+!scripts/mk
+!scripts/db/migrations
 !configs/config.example.yaml
 
-# File generated when running unit tests
-coverage.out
+# NOTE DO NOT ADD CHANGES AFTER THIS LINE
+
+# Specific ignore
+.docker
+.podman
+.kube
 
-# NOTE: .git directory is not listed here. `go build` needs the full `.git`
-# directory to include VCS information in go binaries.

build/package/Dockerfile

@@ -8,7 +8,6 @@ ENV OPENSSL_FORCE_FIPS_MODE=1
 WORKDIR /go/src/app
 COPY . .
 USER 0
-RUN git log -1
 RUN make get-deps build
 
 

scripts/mk/container.mk

@@ -49,6 +49,7 @@ registry-login:
 .PHONY: container-build
 container-build: QUAY_EXPIRATION ?= never
 container-build:  ## Build image CONTAINER_IMAGE from CONTAINERFILE using the CONTAINER_CONTEXT_DIR
+	[ ! -e "$(PROJECT_DIR)/.git" ] || git --no-pager log -n 1
 	$(USE_GO_CACHE) && mkdir -p $(shell go env GOCACHE) $(shell go env GOMODCACHE) || true
 	$(CONTAINER_ENGINE) build \
 	  --label "quay.expires-after=$(QUAY_EXPIRATION)" \