Add KICS config to document accepted security exceptions

Excludes the following queries with documented reasons:
- Shared volumes: Required for database persistence
- Passwords in config: Local dev only, prod uses K8s secrets
- Healthcheck on init container: Not applicable, exits after setup
- Apt pin version: Intentional for security updates

.gitlab-ci.yml

@@ -25,6 +25,8 @@ stages:
 
 kics:
   allow_failure: true
+  variables:
+    KICS_CONFIG: kics.config
 
 hadolint:
   allow_failure: true

kics.config

@@ -0,0 +1,25 @@
+# KICS Configuration File
+# https://docs.kics.io/latest/configuration-file/
+
+# Exclude specific queries that are acceptable for this project
+exclude-queries:
+  # Shared Volumes Between Containers (INFO)
+  # Reason: Database services (postgres, minio, redis) require persistent volumes
+  # for data storage. This is expected and necessary behavior.
+  - 8c978947-0ff6-485c-b0c2-0bfca6026466
+
+  # Passwords And Secrets - Generic Password (HIGH)
+  # Reason: These are LOCAL DEVELOPMENT configs only. Production deployments
+  # use Kubernetes secrets injected at runtime. The passwords in docker-compose
+  # and helm values files are placeholder/dev values, not real secrets.
+  - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71
+
+  # Healthcheck Not Set (MEDIUM)
+  # Reason: minio-init is an init container that runs once and exits.
+  # Healthchecks are not applicable to containers that are designed to exit.
+  - 698ed579-b239-4f8f-a388-baa4bcb13ef8
+
+  # Apt Get Install Pin Version Not Defined (MEDIUM)
+  # Reason: We intentionally don't pin curl version to get security updates.
+  # This is documented with hadolint ignore comment in Dockerfile.
+  - 965a08d7-ef86-4f14-8792-4a3b2098937e