Keeping junk out of your image
Remember the . at the end of docker build -t my-image .? That folder is the
build context - everything in it is sent to Docker so it can be copied into the
image. If your project folder contains large or sensitive files, they get sent too,
even if you don't want them.
A .dockerignore file tells Docker which files and folders to leave out. It works
just like a .gitignore file: list patterns, one per line.
A .dockerignore example
Create a file named .dockerignore next to your Dockerfile:
node_modules
vendor
.git
.env
*.log
Now when you build, Docker skips those paths. This matters for three reasons:
-
Smaller and faster builds - you don't send huge folders like
node_modulesorvendorthat will be rebuilt inside the image anyway. - Cleaner images - build artifacts and local junk don't sneak in.
-
Safer images - secret files like
.envdon't accidentally end up baked into your image, where anyone with the image could read them.
A good default .dockerignore
For most projects, ignoring dependency folders, version-control folders, environment files and logs is a sensible start:
.git
.gitignore
node_modules
vendor
.env
*.log
Dockerfile
docker-compose.yml
Adjust it to your stack. Even a small .dockerignore makes your builds noticeably
faster and your images cleaner.
You can now build solid images. But there's a catch we've been ignoring: when a container is removed, its data disappears. The next chapter fixes that with volumes.
The security reason this matters most
Beyond speed, the .dockerignore file has a security payoff people overlook: it keeps
your .env file and other secrets out of the image. Without it, a COPY . . can bake
API keys and passwords straight into the image - and anyone who pulls that image can
read them, even if you later delete the file. Add .env to .dockerignore from day
one; it's the cheapest security win in Docker.
FAQ
What should I put in a .dockerignore file?
Anything that shouldn't be sent to the build: dependency folders (node_modules,
vendor), version control (.git), secrets (.env), logs, and local build artifacts.
Keep the image small and clean.
Is .dockerignore the same as .gitignore?
The syntax is the same and they often overlap, but they serve different tools.
.gitignore controls what Git tracks; .dockerignore controls what gets sent into the
Docker build. You usually want both.
What happens if I don't use a .dockerignore?
Docker sends your entire project folder as the build context, so large folders and secret files can be copied into the image by accident - slower builds, bigger images, and a real risk of leaking credentials.