bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
131 Commits 19 Branches 0 Tags
5f43179fb22cded166b7848db0251f95d92024e8
Commit Graph

4 Commits

Author SHA1 Message Date
Mondo Diaz
ed928cc275 Harden docker-compose security per KICS findings 
- Bind all ports to 127.0.0.1 (local dev only)
- Add cap_drop: ALL to drop unnecessary Linux capabilities

Remaining KICS findings are acceptable for local dev:
- Shared volumes: Expected for database persistence
- Passwords in env: Local dev only, not real secrets
- minio-init healthcheck: Init container exits after setup
 2026-01-14 16:05:30 +00:00
Mondo Diaz
4ec91b46ed Fix security scan issues and harden docker-compose 
Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
 2026-01-13 22:40:51 +00:00
Mondo Diaz
617bcbe89c Implement authentication system with access control UI 2026-01-12 09:52:35 -07:00
Mondo Diaz
3fd2747ae4 Store SHA256 checksums with artifacts and add multiple hash support 2025-12-15 14:47:30 -06:00