Add KICS config to document accepted security exceptions

Excludes the following queries with documented reasons: - Shared volumes: Required for database persistence - Passwords in config: Local dev only, prod uses K8s secrets - Healthcheck on init container: Not applicable, exits after setup - Apt pin version: Intentional for security updates
2026-01-14 16:28:09 +00:00
parent ed928cc275
commit 5ecbd71c18
2 changed files with 27 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -25,6 +25,8 @@ stages:

 kics:
  allow_failure: true
+  variables:
+    KICS_CONFIG: kics.config

 hadolint:
  allow_failure: true
--- a/kics.config
+++ b/kics.config
@@ -0,0 +1,25 @@
+# KICS Configuration File
+# https://docs.kics.io/latest/configuration-file/
+
+# Exclude specific queries that are acceptable for this project
+exclude-queries:
+  # Shared Volumes Between Containers (INFO)
+  # Reason: Database services (postgres, minio, redis) require persistent volumes
+  # for data storage. This is expected and necessary behavior.
+  - 8c978947-0ff6-485c-b0c2-0bfca6026466
+
+  # Passwords And Secrets - Generic Password (HIGH)
+  # Reason: These are LOCAL DEVELOPMENT configs only. Production deployments
+  # use Kubernetes secrets injected at runtime. The passwords in docker-compose
+  # and helm values files are placeholder/dev values, not real secrets.
+  - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71
+
+  # Healthcheck Not Set (MEDIUM)
+  # Reason: minio-init is an init container that runs once and exits.
+  # Healthchecks are not applicable to containers that are designed to exit.
+  - 698ed579-b239-4f8f-a388-baa4bcb13ef8
+
+  # Apt Get Install Pin Version Not Defined (MEDIUM)
+  # Reason: We intentionally don't pin curl version to get security updates.
+  # This is documented with hadolint ignore comment in Dockerfile.
+  - 965a08d7-ef86-4f14-8792-4a3b2098937e