From 7f7ac44c46b296e1f1f45db780fb4caad85393d3 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Thu, 15 Jan 2026 15:22:59 +0000
Subject: [PATCH] Fix local docker-compose security settings for stock images

Remove cap_drop: ALL and no-new-privileges from postgres, redis, minio,
and minio-init services. These stock images require certain capabilities
(SETUID, SETGID, CHOWN) to switch users during initialization.

Added KICS exceptions with documentation explaining these are local
development only settings - production Kubernetes uses securityContext.
---
 docker-compose.local.yml | 16 ----------------
 kics.config              | 20 ++++++++++++++++++++
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/docker-compose.local.yml b/docker-compose.local.yml
index 3792e3e..83cdf56 100644
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -71,10 +71,6 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
     deploy:
       resources:
         limits:
@@ -100,10 +96,6 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
     deploy:
       resources:
         limits:
@@ -124,10 +116,6 @@ services:
       "
     networks:
       - orchard-network
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
     deploy:
       resources:
         limits:
@@ -149,10 +137,6 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
     deploy:
       resources:
         limits:
diff --git a/kics.config b/kics.config
index 5572c19..432bfa4 100644
--- a/kics.config
+++ b/kics.config
@@ -23,3 +23,23 @@ exclude-queries:
   # Reason: We intentionally don't pin curl version to get security updates.
   # This is documented with hadolint ignore comment in Dockerfile.
   - 965a08d7-ef86-4f14-8792-4a3b2098937e
+
+  # Container Capabilities Unrestricted (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
+  # certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
+  # cap_drop: ALL breaks these containers. Production Kubernetes deployments
+  # use securityContext with appropriate settings.
+  - ce76b7d0-9e77-464d-b86f-c5c48e03e22d
+
+  # No New Privileges Not Set (HIGH)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
+  # to escalate privileges during initialization (e.g., postgres switches from
+  # root to postgres user). no-new-privileges:true prevents this and causes
+  # containers to crash. Production Kubernetes deployments handle this via
+  # securityContext.
+  - 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
+
+  # Security Opt Not Set (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
+  # on database services because no-new-privileges breaks them.
+  - 610e266e-6c12-4bca-9925-1ed0cd29742b