Replace project cards with sortable data table on Home page

kics.config

@@ -23,3 +23,29 @@ exclude-queries:
   # Reason: We intentionally don't pin curl version to get security updates.
   # This is documented with hadolint ignore comment in Dockerfile.
   - 965a08d7-ef86-4f14-8792-4a3b2098937e
+
+  # Container Capabilities Unrestricted (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
+  # certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
+  # cap_drop: ALL breaks these containers. Production Kubernetes deployments
+  # use securityContext with appropriate settings.
+  - ce76b7d0-9e77-464d-b86f-c5c48e03e22d
+
+  # No New Privileges Not Set (HIGH)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
+  # to escalate privileges during initialization (e.g., postgres switches from
+  # root to postgres user). no-new-privileges:true prevents this and causes
+  # containers to crash. Production Kubernetes deployments handle this via
+  # securityContext.
+  - 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
+
+  # Security Opt Not Set (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
+  # on database services because no-new-privileges breaks them.
+  - 610e266e-6c12-4bca-9925-1ed0cd29742b
+
+  # Container Traffic Not Bound To Host Interface (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. The orchard-server port is bound to 0.0.0.0
+  # to allow testing from other machines on the local network. This is only in
+  # docker-compose.local.yml, not production deployments.
+  - 451d79dc-0588-476a-ad03-3c7f0320abb3