# Docker Infrastructure Security Audit Findings

**Applies when:** reviewing Docker configurations, adding new services to docker-compose, creating production deployment configs, or auditing container security.

## Critical Issues (as of 2026-03-24)
- `cofee_backend/.env` is tracked in git (committed in `0299949`). `.gitignore` has no `.env` entry.
- `cofee_frontend/.env` is tracked in git (committed in `71b9749`). `.gitignore` only excludes `.env*.local`, not `.env`.
- `cofee_backend/.dockerignore` does NOT exclude `.env` — secrets enter Docker build context.
- `remotion_service/.gitignore` and `.dockerignore` correctly exclude `.env`.

## High Issues
- Both Dockerfiles (backend + remotion) run as root — no `USER` directive, no `adduser`.
- `docker-compose.yml` has hardcoded defaults: `JWT_SECRET_KEY=dev-secret`, `postgres/postgres`, `minioadmin/minioadmin`.
- Redis has no authentication (`--requirepass` not set), exposed on host port 6379.
- All ports bound to `0.0.0.0` (shorthand format), not `127.0.0.1`.

## Medium Issues
- No network segmentation — all backend services on default bridge network.
- No container resource limits (mem_limit, cpus).
- No capability dropping (cap_drop: ALL).
- MinIO image unpinned (`minio/minio` = latest). Other images pinned by tag, not digest.
- Remotion compose mounts entire project dir (`.:/app:cached`), bypassing .dockerignore at runtime.
- Chromium sandbox disabled (`REMOTION_PUPPETEER_NO_SANDBOX=1`) + running as root.

## Remediation Status
- All findings reported, none remediated yet as of this audit date.