faglo/remotion_service

Files

T

Daniil 694b8bc77c docs initial

2026-04-06 01:44:58 +03:00

1.5 KiB

Raw Blame History

Docker Infrastructure Security Audit Findings

Applies when: reviewing Docker configurations, adding new services to docker-compose, creating production deployment configs, or auditing container security.

Critical Issues (as of 2026-03-24)

cofee_backend/.env is tracked in git (committed in 0299949). .gitignore has no .env entry.
cofee_frontend/.env is tracked in git (committed in 71b9749). .gitignore only excludes .env*.local, not .env.
cofee_backend/.dockerignore does NOT exclude .env — secrets enter Docker build context.
remotion_service/.gitignore and .dockerignore correctly exclude .env.

High Issues

Both Dockerfiles (backend + remotion) run as root — no USER directive, no adduser.
docker-compose.yml has hardcoded defaults: JWT_SECRET_KEY=dev-secret, postgres/postgres, minioadmin/minioadmin.
Redis has no authentication (--requirepass not set), exposed on host port 6379.
All ports bound to 0.0.0.0 (shorthand format), not 127.0.0.1.

Medium Issues

No network segmentation — all backend services on default bridge network.
No container resource limits (mem_limit, cpus).
No capability dropping (cap_drop: ALL).
MinIO image unpinned (minio/minio = latest). Other images pinned by tag, not digest.
Remotion compose mounts entire project dir (.:/app:cached), bypassing .dockerignore at runtime.
Chromium sandbox disabled (REMOTION_PUPPETEER_NO_SANDBOX=1) + running as root.

Remediation Status

All findings reported, none remediated yet as of this audit date.