From 3753f180305c1d1da206534912f3e149277acbe1 Mon Sep 17 00:00:00 2001
From: Rob Hudson <robhudson@mozilla.com>
Date: Tue, 11 Mar 2025 08:51:39 -0700
Subject: [PATCH] Be more explicit with COPY

---
 Dockerfile | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c7ed7d48..06bfbe40 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ RUN python3 -m venv $POETRY_HOME && \
     $POETRY_HOME/bin/poetry --version
 
 WORKDIR $PYSETUP_PATH
-COPY ./poetry.lock ./pyproject.toml ./
+COPY poetry.lock pyproject.toml .
 RUN $POETRY_HOME/bin/poetry install --no-root --only main
 
 FROM python:3.12.7-slim AS production
@@ -39,7 +39,19 @@ RUN groupadd --gid $groupid app && \
 USER app
 WORKDIR /app
 
-COPY --chown=app:app . .
+# Copy only what is necessary to reduce image size and security risks
+# FILES
+COPY --chown=app:app \
+    alembic.ini \
+    asgi.py \
+    pyproject.toml \
+    version.json \
+    /app/
+# DIRECTORIES
+COPY --chown=app:app bin /app/bin
+COPY --chown=app:app ctms /app/ctms
+COPY --chown=app:app migrations /app/migrations
+COPY --chown=app:app suppression-list /app/suppression-list
 
 EXPOSE $PORT
 CMD ["python", "asgi.py"]