Fix security scan issues and harden docker-compose
Hadolint fixes: - Use printf instead of echo for escape sequences - Add hadolint ignore for apt pin version (DL3008) KICS fixes (docker-compose): - Add security_opt: no-new-privileges to all services - Add mem_limit and cpus to prevent resource exhaustion - Add healthcheck to orchard-server in docker-compose.yml Gitleaks: - Add .gitleaksignore for false positive (s3_key attribute name) - Remove allow_failure from secrets job (now blocking) Also: - Remove || echo fallback from python_tests (tests should fail pipeline)
This commit is contained in:
Mondo Diaz
@@ -13,8 +13,7 @@ kics:
|
||||
hadolint:
|
||||
allow_failure: true
|
||||
|
||||
secrets:
|
||||
allow_failure: true
|
||||
# secrets job is a blocking check - real credential leaks should fail the pipeline
|
||||
|
||||
# Run Python tests
|
||||
python_tests:
|
||||
@@ -25,7 +24,7 @@ python_tests:
|
||||
- pip install pytest pytest-asyncio httpx
|
||||
script:
|
||||
- cd backend
|
||||
- python -m pytest -v || echo "No tests yet"
|
||||
- python -m pytest -v
|
||||
|
||||
# Deploy to stage (main branch)
|
||||
deploy_stage:
|
||||
|
||||
Reference in New Issue
Block a user