From ed928cc27586d72c316cf5d45d66a199701cc023 Mon Sep 17 00:00:00 2001 From: Mondo Diaz Date: Wed, 14 Jan 2026 16:05:30 +0000 Subject: [PATCH] Harden docker-compose security per KICS findings - Bind all ports to 127.0.0.1 (local dev only) - Add cap_drop: ALL to drop unnecessary Linux capabilities Remaining KICS findings are acceptable for local dev: - Shared volumes: Expected for database persistence - Passwords in env: Local dev only, not real secrets - minio-init healthcheck: Init container exits after setup --- docker-compose.local.yml | 20 +++++++++++++++----- docker-compose.yml | 20 +++++++++++++++----- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/docker-compose.local.yml b/docker-compose.local.yml index aa5b113..3bfc6db 100644 --- a/docker-compose.local.yml +++ b/docker-compose.local.yml @@ -6,7 +6,7 @@ services: context: . dockerfile: Dockerfile.local ports: - - "8080:8080" + - "127.0.0.1:8080:8080" environment: - ORCHARD_SERVER_HOST=0.0.0.0 - ORCHARD_SERVER_PORT=8080 @@ -44,6 +44,8 @@ services: retries: 3 security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 1g cpus: 1.0 @@ -57,7 +59,7 @@ services: - postgres-data-local:/var/lib/postgresql/data - ./migrations:/docker-entrypoint-initdb.d:ro ports: - - "5432:5432" + - "127.0.0.1:5432:5432" healthcheck: test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"] interval: 10s @@ -68,6 +70,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 512m cpus: 0.5 @@ -80,8 +84,8 @@ services: volumes: - minio-data-local:/data ports: - - "9000:9000" - - "9001:9001" + - "127.0.0.1:9000:9000" + - "127.0.0.1:9001:9001" healthcheck: test: ["CMD", "mc", "ready", "local"] interval: 10s @@ -92,6 +96,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 512m cpus: 0.5 @@ -111,6 +117,8 @@ services: - orchard-network security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 128m cpus: 0.25 @@ -120,7 +128,7 @@ services: volumes: - redis-data-local:/data ports: - - "6379:6379" + - "127.0.0.1:6379:6379" healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s @@ -131,6 +139,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 256m cpus: 0.25 diff --git a/docker-compose.yml b/docker-compose.yml index 3f1455b..d0ba98f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: context: . dockerfile: Dockerfile ports: - - "8080:8080" + - "127.0.0.1:8080:8080" environment: - ORCHARD_SERVER_HOST=0.0.0.0 - ORCHARD_SERVER_PORT=8080 @@ -42,6 +42,8 @@ services: retries: 3 security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 1g cpus: 1.0 @@ -55,7 +57,7 @@ services: - postgres-data:/var/lib/postgresql/data - ./migrations:/docker-entrypoint-initdb.d:ro ports: - - "5432:5432" + - "127.0.0.1:5432:5432" healthcheck: test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"] interval: 10s @@ -66,6 +68,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 512m cpus: 0.5 @@ -78,8 +82,8 @@ services: volumes: - minio-data:/data ports: - - "9000:9000" - - "9001:9001" + - "127.0.0.1:9000:9000" + - "127.0.0.1:9001:9001" healthcheck: test: ["CMD", "mc", "ready", "local"] interval: 10s @@ -90,6 +94,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 512m cpus: 0.5 @@ -109,6 +115,8 @@ services: - orchard-network security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 128m cpus: 0.25 @@ -118,7 +126,7 @@ services: volumes: - redis-data:/data ports: - - "6379:6379" + - "127.0.0.1:6379:6379" healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s @@ -129,6 +137,8 @@ services: restart: unless-stopped security_opt: - no-new-privileges:true + cap_drop: + - ALL mem_limit: 256m cpus: 0.25