Harden docker-compose security per KICS findings

- Bind all ports to 127.0.0.1 (local dev only) - Add cap_drop: ALL to drop unnecessary Linux capabilities Remaining KICS findings are acceptable for local dev: - Shared volumes: Expected for database persistence - Passwords in env: Local dev only, not real secrets - minio-init healthcheck: Init container exits after setup
2026-01-14 16:05:30 +00:00
parent 5a5d773999
commit ed928cc275
2 changed files with 30 additions and 10 deletions
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -6,7 +6,7 @@ services:
      context: .
      dockerfile: Dockerfile.local
    ports:
-      - "8080:8080"
+      - "127.0.0.1:8080:8080"
    environment:
      - ORCHARD_SERVER_HOST=0.0.0.0
      - ORCHARD_SERVER_PORT=8080
@@ -44,6 +44,8 @@ services:
      retries: 3
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    mem_limit: 1g
    cpus: 1.0

@@ -57,7 +59,7 @@ services:
      - postgres-data-local:/var/lib/postgresql/data
      - ./migrations:/docker-entrypoint-initdb.d:ro
    ports:
-      - "5432:5432"
+      - "127.0.0.1:5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"]
      interval: 10s
@@ -68,6 +70,8 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    mem_limit: 512m
    cpus: 0.5

@@ -80,8 +84,8 @@ services:
    volumes:
      - minio-data-local:/data
    ports:
-      - "9000:9000"
-      - "9001:9001"
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:9001:9001"
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 10s
@@ -92,6 +96,8 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    mem_limit: 512m
    cpus: 0.5

@@ -111,6 +117,8 @@ services:
      - orchard-network
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    mem_limit: 128m
    cpus: 0.25

@@ -120,7 +128,7 @@ services:
    volumes:
      - redis-data-local:/data
    ports:
-      - "6379:6379"
+      - "127.0.0.1:6379:6379"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
@@ -131,6 +139,8 @@ services:
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
+    cap_drop:
+      - ALL
    mem_limit: 256m
    cpus: 0.25