# Docker Infrastructure Audit Findings

**Applies when:** implementing any Docker fixes, setting up CI/CD, preparing for production deployment, or reviewing PRs that touch Dockerfiles or compose files.

- Backend `.dockerignore` is missing `.env` exclusion -- security risk for future `COPY . .` changes.
- Backend `.gitignore` is missing `.env` exclusion -- latent secret leak risk.
- MinIO image is unpinned (`minio/minio` with no tag) -- all others are pinned.
- No resource limits on any service. Remotion needs 4GB+ for Chromium/FFmpeg renders.
- Health checks exist only on `db` and `redis`. Missing on `minio`, `api`, `worker`, `remotion`.
- API health check requires a `GET /api/health/` endpoint (may not exist yet -- needs backend team).
- No restart policies on any service.
- Both Dockerfiles run as root -- non-root user should be added to `prod` stages (dev stage has bind-mount permission complications).
- `build-essential` is in the `base` stage, bloating the prod image by ~200MB. Move to `deps` stage only.
- Remotion Dockerfile missing BuildKit apt cache mounts (backend has them, remotion does not).
- Environment variables duplicated between `api` and `worker` (14 identical vars) -- use `x-backend-env` YAML anchor.
- Worker is missing `JWT_SECRET_KEY` that API has.
- No CI/CD pipeline exists at all -- zero automation.
- No frontend Dockerfile -- needs `output: 'standalone'` in next.config.mjs first.