Daniil
27 lines
1.5 KiB
Markdown
27 lines
1.5 KiB
Markdown
# Docker Infrastructure Security Audit Findings
|
|
|
|
**Applies when:** reviewing Docker configurations, adding new services to docker-compose, creating production deployment configs, or auditing container security.
|
|
|
|
## Critical Issues (as of 2026-03-24)
|
|
- `cofee_backend/.env` is tracked in git (committed in `0299949`). `.gitignore` has no `.env` entry.
|
|
- `cofee_frontend/.env` is tracked in git (committed in `71b9749`). `.gitignore` only excludes `.env*.local`, not `.env`.
|
|
- `cofee_backend/.dockerignore` does NOT exclude `.env` — secrets enter Docker build context.
|
|
- `remotion_service/.gitignore` and `.dockerignore` correctly exclude `.env`.
|
|
|
|
## High Issues
|
|
- Both Dockerfiles (backend + remotion) run as root — no `USER` directive, no `adduser`.
|
|
- `docker-compose.yml` has hardcoded defaults: `JWT_SECRET_KEY=dev-secret`, `postgres/postgres`, `minioadmin/minioadmin`.
|
|
- Redis has no authentication (`--requirepass` not set), exposed on host port 6379.
|
|
- All ports bound to `0.0.0.0` (shorthand format), not `127.0.0.1`.
|
|
|
|
## Medium Issues
|
|
- No network segmentation — all backend services on default bridge network.
|
|
- No container resource limits (mem_limit, cpus).
|
|
- No capability dropping (cap_drop: ALL).
|
|
- MinIO image unpinned (`minio/minio` = latest). Other images pinned by tag, not digest.
|
|
- Remotion compose mounts entire project dir (`.:/app:cached`), bypassing .dockerignore at runtime.
|
|
- Chromium sandbox disabled (`REMOTION_PUPPETEER_NO_SANDBOX=1`) + running as root.
|
|
|
|
## Remediation Status
|
|
- All findings reported, none remediated yet as of this audit date.
|