bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Harden docker-compose security per KICS findings

Browse Source 
- Bind all ports to 127.0.0.1 (local dev only)
- Add cap_drop: ALL to drop unnecessary Linux capabilities

Remaining KICS findings are acceptable for local dev:
- Shared volumes: Expected for database persistence
- Passwords in env: Local dev only, not real secrets
- minio-init healthcheck: Init container exits after setup
This commit is contained in:
Mondo Diaz
2026-01-14 16:05:30 +00:00
parent 5a5d773999
commit ed928cc275
2 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docker-compose.local.yml
View File

@@ -6,7 +6,7 @@ services:
context: . context: .
dockerfile: Dockerfile.local dockerfile: Dockerfile.local
ports: ports:
- "8080:8080" - "127.0.0.1:8080:8080"
environment: environment:
- ORCHARD_SERVER_HOST=0.0.0.0 - ORCHARD_SERVER_HOST=0.0.0.0
- ORCHARD_SERVER_PORT=8080 - ORCHARD_SERVER_PORT=8080
@@ -44,6 +44,8 @@ services:
retries: 3 retries: 3
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 1g mem_limit: 1g
cpus: 1.0 cpus: 1.0
@@ -57,7 +59,7 @@ services:
- postgres-data-local:/var/lib/postgresql/data - postgres-data-local:/var/lib/postgresql/data
- ./migrations:/docker-entrypoint-initdb.d:ro - ./migrations:/docker-entrypoint-initdb.d:ro
ports: ports:
- "5432:5432" - "127.0.0.1:5432:5432"
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"] test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"]
interval: 10s interval: 10s
@@ -68,6 +70,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 512m mem_limit: 512m
cpus: 0.5 cpus: 0.5
@@ -80,8 +84,8 @@ services:
volumes: volumes:
- minio-data-local:/data - minio-data-local:/data
ports: ports:
- "9000:9000" - "127.0.0.1:9000:9000"
- "9001:9001" - "127.0.0.1:9001:9001"
healthcheck: healthcheck:
test: ["CMD", "mc", "ready", "local"] test: ["CMD", "mc", "ready", "local"]
interval: 10s interval: 10s
@@ -92,6 +96,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 512m mem_limit: 512m
cpus: 0.5 cpus: 0.5
@@ -111,6 +117,8 @@ services:
- orchard-network - orchard-network
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 128m mem_limit: 128m
cpus: 0.25 cpus: 0.25
@@ -120,7 +128,7 @@ services:
volumes: volumes:
- redis-data-local:/data - redis-data-local:/data
ports: ports:
- "6379:6379" - "127.0.0.1:6379:6379"
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "ping"] test: ["CMD", "redis-cli", "ping"]
interval: 10s interval: 10s
@@ -131,6 +139,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 256m mem_limit: 256m
cpus: 0.25 cpus: 0.25

20
docker-compose.yml
View File

@@ -6,7 +6,7 @@ services:
context: . context: .
dockerfile: Dockerfile dockerfile: Dockerfile
ports: ports:
- "8080:8080" - "127.0.0.1:8080:8080"
environment: environment:
- ORCHARD_SERVER_HOST=0.0.0.0 - ORCHARD_SERVER_HOST=0.0.0.0
- ORCHARD_SERVER_PORT=8080 - ORCHARD_SERVER_PORT=8080
@@ -42,6 +42,8 @@ services:
retries: 3 retries: 3
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 1g mem_limit: 1g
cpus: 1.0 cpus: 1.0
@@ -55,7 +57,7 @@ services:
- postgres-data:/var/lib/postgresql/data - postgres-data:/var/lib/postgresql/data
- ./migrations:/docker-entrypoint-initdb.d:ro - ./migrations:/docker-entrypoint-initdb.d:ro
ports: ports:
- "5432:5432" - "127.0.0.1:5432:5432"
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"] test: ["CMD-SHELL", "pg_isready -U orchard -d orchard"]
interval: 10s interval: 10s
@@ -66,6 +68,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 512m mem_limit: 512m
cpus: 0.5 cpus: 0.5
@@ -78,8 +82,8 @@ services:
volumes: volumes:
- minio-data:/data - minio-data:/data
ports: ports:
- "9000:9000" - "127.0.0.1:9000:9000"
- "9001:9001" - "127.0.0.1:9001:9001"
healthcheck: healthcheck:
test: ["CMD", "mc", "ready", "local"] test: ["CMD", "mc", "ready", "local"]
interval: 10s interval: 10s
@@ -90,6 +94,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 512m mem_limit: 512m
cpus: 0.5 cpus: 0.5
@@ -109,6 +115,8 @@ services:
- orchard-network - orchard-network
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 128m mem_limit: 128m
cpus: 0.25 cpus: 0.25
@@ -118,7 +126,7 @@ services:
volumes: volumes:
- redis-data:/data - redis-data:/data
ports: ports:
- "6379:6379" - "127.0.0.1:6379:6379"
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "ping"] test: ["CMD", "redis-cli", "ping"]
interval: 10s interval: 10s
@@ -129,6 +137,8 @@ services:
restart: unless-stopped restart: unless-stopped
security_opt: security_opt:
- no-new-privileges:true - no-new-privileges:true
cap_drop:
- ALL
mem_limit: 256m mem_limit: 256m
cpus: 0.25 cpus: 0.25