Fix security scan issues and harden docker-compose

Hadolint fixes: - Use printf instead of echo for escape sequences - Add hadolint ignore for apt pin version (DL3008) KICS fixes (docker-compose): - Add security_opt: no-new-privileges to all services - Add mem_limit and cpus to prevent resource exhaustion - Add healthcheck to orchard-server in docker-compose.yml Gitleaks: - Add .gitleaksignore for false positive (s3_key attribute name) - Remove allow_failure from secrets job (now blocking) Also: - Remove || echo fallback from python_tests (tests should fail pipeline)
2026-01-13 22:40:51 +00:00
parent d6644e9039
commit 4ec91b46ed
5 changed files with 56 additions and 4 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,8 +13,7 @@ kics:
 hadolint:
  allow_failure: true

-secrets:
-  allow_failure: true
+# secrets job is a blocking check - real credential leaks should fail the pipeline

 # Run Python tests
 python_tests:
@@ -25,7 +24,7 @@ python_tests:
    - pip install pytest pytest-asyncio httpx
  script:
    - cd backend
-    - python -m pytest -v || echo "No tests yet"
+    - python -m pytest -v

 # Deploy to stage (main branch)
 deploy_stage:
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -0,0 +1,6 @@
+# Gitleaks ignore file
+# https://github.com/gitleaks/gitleaks#gitleaksignore
+
+# False positive: s3_key is an attribute name, not a secret
+35fda65d381acc5ab59bc592ee3013f75906c197:backend/tests/unit/test_storage.py:generic-api-key:381
+08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381
--- a/3
+++ b/3
@@ -22,9 +22,10 @@ RUN npm run build
 FROM containers.global.bsf.tools/python:3.12-slim

 # Disable proxy cache
-RUN echo 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy
+RUN printf 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy

 # Install system dependencies
+# hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    && rm -rf /var/lib/apt/lists/*
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -42,6 +42,10 @@ services:
      timeout: 3s
      start_period: 10s
      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0

  postgres:
    image: postgres:16-alpine
@@ -62,6 +66,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio:
    image: minio/minio:latest
@@ -82,6 +90,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio-init:
    image: minio/mc:latest
@@ -97,6 +109,10 @@ services:
      "
    networks:
      - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25

  redis:
    image: redis:7-alpine
@@ -113,6 +129,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25

 volumes:
  postgres-data-local:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -34,6 +34,16 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 3s
+      start_period: 10s
+      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0

  postgres:
    image: containers.global.bsf.tools/postgres:16-alpine
@@ -54,6 +64,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio:
    image: containers.global.bsf.tools/minio/minio:latest
@@ -74,6 +88,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio-init:
    image: containers.global.bsf.tools/minio/mc:latest
@@ -89,6 +107,10 @@ services:
      "
    networks:
      - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25

  redis:
    image: containers.global.bsf.tools/redis:7-alpine
@@ -105,6 +127,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25

 volumes:
  postgres-data: