bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
128 Commits 19 Branches 0 Tags
5e18fa380dabaa449bb00eeb15f1864c442db657
Commit Graph

4 Commits

Author SHA1 Message Date
Mondo Diaz
52fa3cbf77 Harden docker-compose security per KICS findings 
- Bind all ports to 127.0.0.1 (local dev only)
- Add cap_drop: ALL to drop unnecessary Linux capabilities

Remaining KICS findings are acceptable for local dev:
- Shared volumes: Expected for database persistence
- Passwords in env: Local dev only, not real secrets
- minio-init healthcheck: Init container exits after setup
 2026-01-14 18:15:25 +00:00
Mondo Diaz
1a7fb3e5ba Fix security scan issues and harden docker-compose 
Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
 2026-01-14 18:15:25 +00:00
Dane Moss
3fe421f31d update URLs to point to BSF 2025-12-15 11:30:07 -07:00
Mondo Diaz
f8e9650de3 Initial commit: Orchard content-addressable storage system 
- Go server with Gin framework
- PostgreSQL for metadata storage
- MinIO/S3 for artifact storage with SHA256 content addressing
- REST API for grove/tree/fruit operations
- Web UI for managing artifacts
- Docker Compose setup for local development
 2025-12-04 10:14:49 -06:00