bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Fix security scan issues and harden docker-compose

Browse Source 
Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
This commit is contained in:
Mondo Diaz
2026-01-13 22:40:51 +00:00
parent d6644e9039
commit 4ec91b46ed
5 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.gitleaksignore Normal file
View File

@@ -0,0 +1,6 @@
# Gitleaks ignore file
# https://github.com/gitleaks/gitleaks#gitleaksignore
# False positive: s3_key is an attribute name, not a secret
35fda65d381acc5ab59bc592ee3013f75906c197:backend/tests/unit/test_storage.py:generic-api-key:381
08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381