From 2bfee40acb06b82a21a87888a2157be9e981f6e5 Mon Sep 17 00:00:00 2001
From: Cesar Mendivil <mendivilrubioc@gmail.com>
Date: Tue, 17 Mar 2026 21:06:32 -0700
Subject: [PATCH] fix: update Dockerfile with security notes and build context
 guidelines

---
 Dockerfile.whip-test | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Dockerfile.whip-test b/Dockerfile.whip-test
index dececa21..5d46d007 100644
--- a/Dockerfile.whip-test
+++ b/Dockerfile.whip-test
@@ -12,7 +12,10 @@ COPY go.mod go.sum ./
 COPY vendor/ ./vendor/
 
 # Now copy source and build. This layer rebuilds on any .go file change.
+# Do NOT include local configuration or secret files in the build context.
+# Ensure your .dockerignore excludes config files (e.g. config.json, v1.json, .env).
 COPY . .
+# If you need build-time secrets, use BuildKit secrets and `RUN --mount=type=secret,...`.
 RUN make release && make import && make ffmigrate
 
 FROM $FFMPEG_IMAGE
@@ -31,7 +34,11 @@ ENV CORE_DB_DIR=/core/config
 ENV CORE_WHIP_ENABLE=true
 ENV CORE_WHIP_ADDRESS=:8555
 ENV CORE_WHIP_RTSP_ADDRESS=:8554
-ENV CORE_API_AUTH_ENABLE=false
+# Security note: do not hardcode sensitive configuration or secrets in the image.
+# Set runtime flags and secrets when launching the container instead, for example:
+#   docker run -e CORE_API_AUTH_ENABLE=false ...
+# The following env is intentionally left unset in the image to avoid baking config:
+# ENV CORE_API_AUTH_ENABLE=false
 ENV CORE_RTMP_ENABLE=true
 ENV CORE_SRT_ENABLE=true
 ENV CORE_PLAYOUT_ENABLE=true