remotion_service/.claude/agents-memory/devops-engineer/2026-03-24-docker-audit-findings.md

Docker Infrastructure Audit Findings

Applies when: implementing any Docker fixes, setting up CI/CD, preparing for production deployment, or reviewing PRs that touch Dockerfiles or compose files.

• Backend .dockerignore is missing .env exclusion -- security risk for future COPY . . changes.
• Backend .gitignore is missing .env exclusion -- latent secret leak risk.
• MinIO image is unpinned (minio/minio with no tag) -- all others are pinned.
• No resource limits on any service. Remotion needs 4GB+ for Chromium/FFmpeg renders.
• Health checks exist only on db and redis. Missing on minio, api, worker, remotion.
• API health check requires a GET /api/health/ endpoint (may not exist yet -- needs backend team).
• No restart policies on any service.
• Both Dockerfiles run as root -- non-root user should be added to prod stages (dev stage has bind-mount permission complications).
• build-essential is in the base stage, bloating the prod image by ~200MB. Move to deps stage only.
• Remotion Dockerfile missing BuildKit apt cache mounts (backend has them, remotion does not).
• Environment variables duplicated between api and worker (14 identical vars) -- use x-backend-env YAML anchor.
• Worker is missing JWT_SECRET_KEY that API has.
• No CI/CD pipeline exists at all -- zero automation.
• No frontend Dockerfile -- needs output: 'standalone' in next.config.mjs first.