bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
Files
9e2f12dc51aa6eca57809c738877101d38306e11
orchard/kics.config
Mondo Diaz 9e2f12dc51 Fix local docker-compose security settings for stock images 
Remove cap_drop: ALL and no-new-privileges from postgres, redis, minio,
and minio-init services. These stock images require certain capabilities
(SETUID, SETGID, CHOWN) to switch users during initialization.

Added KICS exceptions with documentation explaining these are local
development only settings - production Kubernetes uses securityContext.
2026-01-15 15:22:59 +00:00

46 lines
2.1 KiB
Plaintext
Raw Blame History

# KICS Configuration File
# https://docs.kics.io/latest/configuration-file/
# Exclude specific queries that are acceptable for this project
exclude-queries:
# Shared Volumes Between Containers (INFO)
# Reason: Database services (postgres, minio, redis) require persistent volumes
# for data storage. This is expected and necessary behavior.
- 8c978947-0ff6-485c-b0c2-0bfca6026466
# Passwords And Secrets - Generic Password (HIGH)
# Reason: These are LOCAL DEVELOPMENT configs only. Production deployments
# use Kubernetes secrets injected at runtime. The passwords in docker-compose
# and helm values files are placeholder/dev values, not real secrets.
- a88baa34-e2ad-44ea-ad6f-8cac87bc7c71
# Healthcheck Not Set (MEDIUM)
# Reason: minio-init is an init container that runs once and exits.
# Healthchecks are not applicable to containers that are designed to exit.
- 698ed579-b239-4f8f-a388-baa4bcb13ef8
# Apt Get Install Pin Version Not Defined (MEDIUM)
# Reason: We intentionally don't pin curl version to get security updates.
# This is documented with hadolint ignore comment in Dockerfile.
- 965a08d7-ef86-4f14-8792-4a3b2098937e
# Container Capabilities Unrestricted (MEDIUM)
# Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
# certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
# cap_drop: ALL breaks these containers. Production Kubernetes deployments
# use securityContext with appropriate settings.
- ce76b7d0-9e77-464d-b86f-c5c48e03e22d
# No New Privileges Not Set (HIGH)
# Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
# to escalate privileges during initialization (e.g., postgres switches from
# root to postgres user). no-new-privileges:true prevents this and causes
# containers to crash. Production Kubernetes deployments handle this via
# securityContext.
- 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
# Security Opt Not Set (MEDIUM)
# Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
# on database services because no-new-privileges breaks them.
- 610e266e-6c12-4bca-9925-1ed0cd29742b
View Git Blame Copy Permalink