# KICS Configuration File
# https://docs.kics.io/latest/configuration-file/

# Exclude specific queries that are acceptable for this project
exclude-queries:
  # Shared Volumes Between Containers (INFO)
  # Reason: Database services (postgres, minio, redis) require persistent volumes
  # for data storage. This is expected and necessary behavior.
  - 8c978947-0ff6-485c-b0c2-0bfca6026466

  # Passwords And Secrets - Generic Password (HIGH)
  # Reason: These are LOCAL DEVELOPMENT configs only. Production deployments
  # use Kubernetes secrets injected at runtime. The passwords in docker-compose
  # and helm values files are placeholder/dev values, not real secrets.
  - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

  # Healthcheck Not Set (MEDIUM)
  # Reason: minio-init is an init container that runs once and exits.
  # Healthchecks are not applicable to containers that are designed to exit.
  - 698ed579-b239-4f8f-a388-baa4bcb13ef8

  # Apt Get Install Pin Version Not Defined (MEDIUM)
  # Reason: We intentionally don't pin curl version to get security updates.
  # This is documented with hadolint ignore comment in Dockerfile.
  - 965a08d7-ef86-4f14-8792-4a3b2098937e

  # Container Capabilities Unrestricted (MEDIUM)
  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
  # certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
  # cap_drop: ALL breaks these containers. Production Kubernetes deployments
  # use securityContext with appropriate settings.
  - ce76b7d0-9e77-464d-b86f-c5c48e03e22d

  # No New Privileges Not Set (HIGH)
  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
  # to escalate privileges during initialization (e.g., postgres switches from
  # root to postgres user). no-new-privileges:true prevents this and causes
  # containers to crash. Production Kubernetes deployments handle this via
  # securityContext.
  - 27fcc7d6-c49b-46e0-98f1-6c082a6a2750

  # Security Opt Not Set (MEDIUM)
  # Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
  # on database services because no-new-privileges breaks them.
  - 610e266e-6c12-4bca-9925-1ed0cd29742b

  # Container Traffic Not Bound To Host Interface (MEDIUM)
  # Reason: LOCAL DEVELOPMENT ONLY. The orchard-server port is bound to 0.0.0.0
  # to allow testing from other machines on the local network. This is only in
  # docker-compose.local.yml, not production deployments.
  - 451d79dc-0588-476a-ad03-3c7f0320abb3