docs initial

.claude/agents-memory/security-auditor/2026-03-24-docker-security-audit.md

@@ -0,0 +1,26 @@
+# Docker Infrastructure Security Audit Findings
+
+**Applies when:** reviewing Docker configurations, adding new services to docker-compose, creating production deployment configs, or auditing container security.
+
+## Critical Issues (as of 2026-03-24)
+- `cofee_backend/.env` is tracked in git (committed in `0299949`). `.gitignore` has no `.env` entry.
+- `cofee_frontend/.env` is tracked in git (committed in `71b9749`). `.gitignore` only excludes `.env*.local`, not `.env`.
+- `cofee_backend/.dockerignore` does NOT exclude `.env` — secrets enter Docker build context.
+- `remotion_service/.gitignore` and `.dockerignore` correctly exclude `.env`.
+
+## High Issues
+- Both Dockerfiles (backend + remotion) run as root — no `USER` directive, no `adduser`.
+- `docker-compose.yml` has hardcoded defaults: `JWT_SECRET_KEY=dev-secret`, `postgres/postgres`, `minioadmin/minioadmin`.
+- Redis has no authentication (`--requirepass` not set), exposed on host port 6379.
+- All ports bound to `0.0.0.0` (shorthand format), not `127.0.0.1`.
+
+## Medium Issues
+- No network segmentation — all backend services on default bridge network.
+- No container resource limits (mem_limit, cpus).
+- No capability dropping (cap_drop: ALL).
+- MinIO image unpinned (`minio/minio` = latest). Other images pinned by tag, not digest.
+- Remotion compose mounts entire project dir (`.:/app:cached`), bypassing .dockerignore at runtime.
+- Chromium sandbox disabled (`REMOTION_PUPPETEER_NO_SANDBOX=1`) + running as root.
+
+## Remediation Status
+- All findings reported, none remediated yet as of this audit date.