# Configuration & Infrastructure Review

**Date**: 2026-03-31
**Scope**: Dockerfiles, docker-compose files, .env, .gitignore

## Container Security

### Dockerfile (CPU)

| Check | Status | Detail |
|-------|--------|--------|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | PASS | Uses `python:3.11-slim` |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | `rm -rf /var/lib/apt/lists/*` |
| No-cache pip install | PASS | `--no-cache-dir` |
| Health check | FAIL | No HEALTHCHECK directive |

### Dockerfile.gpu

| Check | Status | Detail |
|-------|--------|--------|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | WARN | Uses `nvidia/cuda:12.2.0-runtime-ubuntu22.04` (necessary for GPU, but large) |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | `rm -rf /var/lib/apt/lists/*` |
| No-cache pip install | PASS | `--no-cache-dir` |
| Health check | FAIL | No HEALTHCHECK directive |

### Remediation

Add to both Dockerfiles:
```dockerfile
RUN adduser --disabled-password --gecos '' appuser
USER appuser
HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/health || exit 1
```

## CI/CD Security

No CI/CD pipeline files found in the repository (no `.github/workflows/`, `.gitlab-ci.yml`, `azure-pipelines.yml`, or `Jenkinsfile`). CI/CD security cannot be assessed.

**Recommendation**: When CI/CD is added, include dependency scanning, SAST, secret scanning, and image scanning steps.

## Environment Configuration

| Check | Status | Detail |
|-------|--------|--------|
| .env handling | PASS | `.env` is gitignored (root level); `e2e/.env` is tracked but contains only `COMPOSE_PROFILES=cpu` (no secrets) |
| Secrets in docker-compose | PASS | No credentials in compose files; service URLs are internal Docker network names |
| Environment separation | PASS | URLs are configurable via env vars (`LOADER_URL`, `ANNOTATIONS_URL`, `VIDEOS_DIR`, `IMAGES_DIR`) |
| Secret management | N/A | No secrets required by this service (tokens come from HTTP headers) |

## Network Security

| Check | Status | Detail |
|-------|--------|--------|
| Exposed ports | WARN | Port 8080 exposed; relies on external network controls for access restriction |
| TLS configuration | FAIL | No TLS termination in the application; `CMD` runs uvicorn without `--ssl-*` flags |
| CORS | WARN | No CORSMiddleware configured — browser clients cannot make cross-origin requests (may be intentional if behind API gateway) |
| Security headers | FAIL | No security headers middleware (see SAST findings) |

## .gitignore Review

| Check | Status | Detail |
|-------|--------|--------|
| .env files excluded | PASS | `.env`, `.env.*` patterns in .gitignore |
| Credentials excluded | PASS | `.cursor/mcp.json` excluded |
| Binary files excluded | PASS | `.onnx`, media formats excluded |
| Build artifacts excluded | PASS | `build/`, `dist/`, `*.so`, `*.egg-info/` excluded |

## Summary

| Severity | Count |
|----------|-------|
| Critical | 0     |
| High     | 0     |
| Medium   | 3 (root containers x2, no TLS) |
| Low      | 3 (no healthcheck x2, no CORS config) |