fix(sonarcloud): Dockerfile docker:S6504 security hotspots

Fixes the following SonarCloud security hotspots in Dockerfile:

"Make sure no write permissions are assigned to the copied resource.
Allowing non-root users to modify resources copied to an image is
security-sensitive" i.e. SonarCloud rule docker:S6504 i.e.
https://rules.sonarsource.com/docker/RSPEC-6504/

Also:
 - Update `.dockerignore` file to be more general
 - Add comments to `Dockerfile` related to SonarCloud security hotspot
   docker:S6470 i.e. "Recursively copying context directories is
   security-sensitive" https://rules.sonarsource.com/docker/RSPEC-6470/

refs KK-1417

.dockerignore

@@ -1,11 +1,59 @@
-node_modules
-Dockerfile*
-docker-compose*
-compose.*
-.dockerignore
-.git
-.gitignore
-README.md
-LICENSE
-.vscode
-build
+# Using "**/" prefix to make ignores work in root and in subdirectories at any level.
+#
+# From https://docs.docker.com/build/concepts/context/#dockerignore-files
+# "Docker also supports a special wildcard string ** that matches any
+# number of directories (including zero). For example, **/*.go excludes
+# all files that end with .go found anywhere in the build context."
+#
+# NOTE:
+# You can add an exception for a specific file by prefixing the line with an !
+# if you need to include a file that would otherwise be ignored.
+
+# Environment variable files
+**/*.env
+**/*.env.example
+**/.env
+**/.env.*
+
+# Certificate/keystore/key files
+**/*.ca-bundle
+**/*.cer
+**/*.cert
+**/*.crt
+**/*.jks
+**/*.key
+**/*.keystore
+**/*.p7b
+**/*.p7c
+**/*.p7s
+**/*.p12
+**/*.pem
+**/*.pfx
+**/*.ppk
+**/*.pvk
+
+# Build files
+**/build
+**/dist
+**/target
+
+# Miscellaneous
+**/*.lock
+**/*.log
+**/*.temp
+**/*.tmp
+**/.DS_Store
+**/.git
+**/.gitignore
+**/.idea
+**/.pytest_cache
+**/.ruff_cache
+**/.ssh
+**/.venv
+**/.vscode
+**/__pycache__
+**/compose.*
+**/node_modules
+**/temp
+**/tmp
+**/venv

Dockerfile

@@ -7,44 +7,41 @@ WORKDIR /app
 
 RUN mkdir /entrypoint
 
-COPY --chown=default:root requirements.txt /app/requirements.txt
-COPY --chown=default:root requirements-prod.txt /app/requirements-prod.txt
+# chmod=755 = rwxr-xr-x i.e. owner can read, write and execute, group and others can read and execute.
+#
+# Related to SonarCloud security hotspot docker:S6470 i.e.
+# "Recursively copying context directories is security-sensitive" i.e.
+# https://rules.sonarsource.com/docker/RSPEC-6470/
+# see .dockerignore for info on what is not copied here:
+COPY --chown=root:root --chmod=755 . /app/
 
 RUN yum update -y && yum install -y \
     nc \
     && pip install -U pip \
     && pip install --no-cache-dir -r /app/requirements.txt \
     && pip install --no-cache-dir  -r /app/requirements-prod.txt
 
-COPY --chown=default:root docker-entrypoint.sh /entrypoint/docker-entrypoint.sh
+# fatal: detected dubious ownership in repository at '/app'
+RUN git config --system --add safe.directory /app
+
+COPY --chown=root:root --chmod=755 docker-entrypoint.sh /entrypoint/docker-entrypoint.sh
 ENTRYPOINT ["/entrypoint/docker-entrypoint.sh"]
 
 # ==============================
 FROM appbase AS development
 # ==============================
 
-COPY --chown=default:root requirements-dev.txt /app/requirements-dev.txt
 RUN pip install --no-cache-dir -r /app/requirements-dev.txt
 
 ENV DEV_SERVER=1
 
-COPY --chown=default:root . /app/
-
-# fatal: detected dubious ownership in repository at '/app'
-RUN git config --system --add safe.directory /app
-
 USER default
 EXPOSE 8081/tcp
 
 # ==============================
 FROM appbase AS production
 # ==============================
 
-COPY --chown=default:root . /app/
-
-# fatal: detected dubious ownership in repository at '/app'
-RUN git config --system --add safe.directory /app
-
 RUN SECRET_KEY="only-used-for-collectstatic" KUKKUU_HASHID_SALT="only-used-for-collectstatic" python manage.py collectstatic
 
 USER default