Use v3 deploy.resources.limits format for docker-compose

- Convert mem_limit/cpus to deploy.resources.limits.memory/cpus - Use proper v3 format that KICS recognizes - Remove KICS exceptions for CPU/Memory limits (no longer needed) - All services now have explicit resource constraints
2026-01-14 19:37:12 +00:00
parent 53c1f6a1dd
commit 8065f881f3
3 changed files with 50 additions and 30 deletions
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -46,8 +46,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 1g
-    cpus: 1.0
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G

  postgres:
    image: postgres:16-alpine
@@ -72,8 +75,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
-    cpus: 0.5
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M

  minio:
    image: minio/minio:latest
@@ -98,8 +104,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
-    cpus: 0.5
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M

  minio-init:
    image: minio/mc:latest
@@ -119,8 +128,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 128m
-    cpus: 0.25
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 128M

  redis:
    image: redis:7-alpine
@@ -141,8 +153,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 256m
-    cpus: 0.25
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 256M

 volumes:
  postgres-data-local:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,8 +44,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 1g
-    cpus: 1.0
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 1G

  postgres:
    image: containers.global.bsf.tools/postgres:16-alpine
@@ -70,8 +73,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
-    cpus: 0.5
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M

  minio:
    image: containers.global.bsf.tools/minio/minio:latest
@@ -96,8 +102,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
-    cpus: 0.5
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 512M

  minio-init:
    image: containers.global.bsf.tools/minio/mc:latest
@@ -117,8 +126,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 128m
-    cpus: 0.25
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 128M

  redis:
    image: containers.global.bsf.tools/redis:7-alpine
@@ -139,8 +151,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 256m
-    cpus: 0.25
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 256M

 volumes:
  postgres-data:
--- a/kics.config
+++ b/kics.config
@@ -23,13 +23,3 @@ exclude-queries:
  # Reason: We intentionally don't pin curl version to get security updates.
  # This is documented with hadolint ignore comment in Dockerfile.
  - 965a08d7-ef86-4f14-8792-4a3b2098937e
-
-  # Cpus Not Limited (LOW)
-  # Reason: Local development docker-compose files. Resource limits are set in
-  # production Kubernetes deployments via Helm values, not docker-compose.
-  - 6b610c50-99fb-4ef0-a5f3-e312fd945bc3
-
-  # Memory Not Limited (MEDIUM)
-  # Reason: Local development docker-compose files. Resource limits are set in
-  # production Kubernetes deployments via Helm values, not docker-compose.
-  - bb9ac4f7-e13b-423d-a010-c74a1bfbe492