From 5ecbd71c187d4005aea3badd4d02b6cbbcf24ae8 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Wed, 14 Jan 2026 16:28:09 +0000
Subject: [PATCH] Add KICS config to document accepted security exceptions

Excludes the following queries with documented reasons:
- Shared volumes: Required for database persistence
- Passwords in config: Local dev only, prod uses K8s secrets
- Healthcheck on init container: Not applicable, exits after setup
- Apt pin version: Intentional for security updates
---
 .gitlab-ci.yml |  2 ++
 kics.config    | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 kics.config

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0ceef01..30232b4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -25,6 +25,8 @@ stages:
 
 kics:
   allow_failure: true
+  variables:
+    KICS_CONFIG: kics.config
 
 hadolint:
   allow_failure: true
diff --git a/kics.config b/kics.config
new file mode 100644
index 0000000..5572c19
--- /dev/null
+++ b/kics.config
@@ -0,0 +1,25 @@
+# KICS Configuration File
+# https://docs.kics.io/latest/configuration-file/
+
+# Exclude specific queries that are acceptable for this project
+exclude-queries:
+  # Shared Volumes Between Containers (INFO)
+  # Reason: Database services (postgres, minio, redis) require persistent volumes
+  # for data storage. This is expected and necessary behavior.
+  - 8c978947-0ff6-485c-b0c2-0bfca6026466
+
+  # Passwords And Secrets - Generic Password (HIGH)
+  # Reason: These are LOCAL DEVELOPMENT configs only. Production deployments
+  # use Kubernetes secrets injected at runtime. The passwords in docker-compose
+  # and helm values files are placeholder/dev values, not real secrets.
+  - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71
+
+  # Healthcheck Not Set (MEDIUM)
+  # Reason: minio-init is an init container that runs once and exits.
+  # Healthchecks are not applicable to containers that are designed to exit.
+  - 698ed579-b239-4f8f-a388-baa4bcb13ef8
+
+  # Apt Get Install Pin Version Not Defined (MEDIUM)
+  # Reason: We intentionally don't pin curl version to get security updates.
+  # This is documented with hadolint ignore comment in Dockerfile.
+  - 965a08d7-ef86-4f14-8792-4a3b2098937e