Fix security scan issues and harden docker-compose

Hadolint fixes: - Use printf instead of echo for escape sequences - Add hadolint ignore for apt pin version (DL3008) KICS fixes (docker-compose): - Add security_opt: no-new-privileges to all services - Add mem_limit and cpus to prevent resource exhaustion - Add healthcheck to orchard-server in docker-compose.yml Gitleaks: - Add .gitleaksignore for false positive (s3_key attribute name) - Remove allow_failure from secrets job (now blocking) Also: - Remove || echo fallback from python_tests (tests should fail pipeline)
2026-01-13 22:40:51 +00:00
parent d6644e9039
commit 4ec91b46ed
5 changed files with 56 additions and 4 deletions
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -42,6 +42,10 @@ services:
      timeout: 3s
      start_period: 10s
      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0

  postgres:
    image: postgres:16-alpine
@@ -62,6 +66,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio:
    image: minio/minio:latest
@@ -82,6 +90,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5

  minio-init:
    image: minio/mc:latest
@@ -97,6 +109,10 @@ services:
      "
    networks:
      - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25

  redis:
    image: redis:7-alpine
@@ -113,6 +129,10 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25

 volumes:
  postgres-data-local: