bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Fix security scan issues and harden docker-compose

Browse Source 
Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
This commit is contained in:
Mondo Diaz
2026-01-13 22:40:51 +00:00
parent 35d29bba75
commit 1a7fb3e5ba
5 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitlab-ci.yml
View File

@@ -13,8 +13,7 @@ kics:
hadolint: hadolint:
allow_failure: true allow_failure: true
secrets: # secrets job is a blocking check - real credential leaks should fail the pipeline
allow_failure: true
# Run Python tests # Run Python tests
python_tests: python_tests:
@@ -25,7 +24,7 @@ python_tests:
- pip install pytest pytest-asyncio httpx - pip install pytest pytest-asyncio httpx
script: script:
- cd backend - cd backend
- python -m pytest -v || echo "No tests yet" - python -m pytest -v
# Deploy to stage (main branch) # Deploy to stage (main branch)
deploy_stage: deploy_stage:

6
.gitleaksignore Normal file
View File

@@ -0,0 +1,6 @@
# Gitleaks ignore file
# https://github.com/gitleaks/gitleaks#gitleaksignore
# False positive: s3_key is an attribute name, not a secret
35fda65d381acc5ab59bc592ee3013f75906c197:backend/tests/unit/test_storage.py:generic-api-key:381
08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381

3
Dockerfile
View File

@@ -22,9 +22,10 @@ RUN npm run build
FROM containers.global.bsf.tools/python:3.12-slim FROM containers.global.bsf.tools/python:3.12-slim
# Disable proxy cache # Disable proxy cache
RUN echo 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy RUN printf 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy
# Install system dependencies # Install system dependencies
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
curl \ curl \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

20
docker-compose.local.yml
View File

@@ -42,6 +42,10 @@ services:
timeout: 3s timeout: 3s
start_period: 10s start_period: 10s
retries: 3 retries: 3
security_opt:
- no-new-privileges:true
mem_limit: 1g
cpus: 1.0
postgres: postgres:
image: postgres:16-alpine image: postgres:16-alpine
@@ -62,6 +66,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 512m
cpus: 0.5
minio: minio:
image: minio/minio:latest image: minio/minio:latest
@@ -82,6 +90,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 512m
cpus: 0.5
minio-init: minio-init:
image: minio/mc:latest image: minio/mc:latest
@@ -97,6 +109,10 @@ services:
" "
networks: networks:
- orchard-network - orchard-network
security_opt:
- no-new-privileges:true
mem_limit: 128m
cpus: 0.25
redis: redis:
image: redis:7-alpine image: redis:7-alpine
@@ -113,6 +129,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 256m
cpus: 0.25
volumes: volumes:
postgres-data-local: postgres-data-local:

26
docker-compose.yml
View File

@@ -34,6 +34,16 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
interval: 30s
timeout: 3s
start_period: 10s
retries: 3
security_opt:
- no-new-privileges:true
mem_limit: 1g
cpus: 1.0
postgres: postgres:
image: containers.global.bsf.tools/postgres:16-alpine image: containers.global.bsf.tools/postgres:16-alpine
@@ -54,6 +64,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 512m
cpus: 0.5
minio: minio:
image: containers.global.bsf.tools/minio/minio:latest image: containers.global.bsf.tools/minio/minio:latest
@@ -74,6 +88,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 512m
cpus: 0.5
minio-init: minio-init:
image: containers.global.bsf.tools/minio/mc:latest image: containers.global.bsf.tools/minio/mc:latest
@@ -89,6 +107,10 @@ services:
" "
networks: networks:
- orchard-network - orchard-network
security_opt:
- no-new-privileges:true
mem_limit: 128m
cpus: 0.25
redis: redis:
image: containers.global.bsf.tools/redis:7-alpine image: containers.global.bsf.tools/redis:7-alpine
@@ -105,6 +127,10 @@ services:
networks: networks:
- orchard-network - orchard-network
restart: unless-stopped restart: unless-stopped
security_opt:
- no-new-privileges:true
mem_limit: 256m
cpus: 0.25
volumes: volumes:
postgres-data: postgres-data: