From ae9404d4cee6a3b926baa9c40017d82ab6567f36 Mon Sep 17 00:00:00 2001
From: Tejas Kashinath <tkashina@amazon.com>
Date: Fri, 20 Feb 2026 11:05:36 -0500
Subject: [PATCH] fix: add .env and .git exclusions to dockerignore template

Without these exclusions, docker build silently includes .env files
(which typically contain credentials/API keys) and .git/ history in
the container image. If pushed to a registry, secrets are exposed.
---
 src/assets/container/python/dockerignore.template | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/assets/container/python/dockerignore.template b/src/assets/container/python/dockerignore.template
index 630d90a0..a0c4eb65 100644
--- a/src/assets/container/python/dockerignore.template
+++ b/src/assets/container/python/dockerignore.template
@@ -15,6 +15,13 @@ build/
 .coverage
 htmlcov/
 
+# Secrets and environment files
+.env
+.env.*
+
+# Version control
+.git/
+
 # AgentCore build artifacts
 .agentcore/artifacts/
 *.zip