azaion/detections
1
0
Fork 0
mirror of https://github.com/azaion/detections.git synced 2026-04-22 21:56:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3984507221d99b93138e4d6a9570e9b97cdf7316
detections/_docs/05_security/infrastructure_review.md
T
Oleksandr Bezdieniezhnykh be4cab4fcb [AZ-178] Implement streaming video detection endpoint 
- Added `/detect/video` endpoint for true streaming video detection, allowing inference to start as upload bytes arrive.
- Introduced `run_detect_video_stream` method in the inference module to handle video processing from a file-like object.
- Updated media hashing to include a new function for computing hashes directly from files with minimal I/O.
- Enhanced documentation to reflect changes in video processing and API behavior.

Made-with: Cursor
2026-04-01 03:11:43 +03:00

80 lines
3.1 KiB
Markdown
Raw Blame History

# Configuration & Infrastructure Review
**Date**: 2026-03-31
**Scope**: Dockerfiles, docker-compose files, .env, .gitignore
## Container Security
### Dockerfile (CPU)
| Check | Status | Detail |
|-------|--------|--------|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | PASS | Uses `python:3.11-slim` |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | `rm -rf /var/lib/apt/lists/*` |
| No-cache pip install | PASS | `--no-cache-dir` |
| Health check | FAIL | No HEALTHCHECK directive |
### Dockerfile.gpu
| Check | Status | Detail |
|-------|--------|--------|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | WARN | Uses `nvidia/cuda:12.2.0-runtime-ubuntu22.04` (necessary for GPU, but large) |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | `rm -rf /var/lib/apt/lists/*` |
| No-cache pip install | PASS | `--no-cache-dir` |
| Health check | FAIL | No HEALTHCHECK directive |
### Remediation
Add to both Dockerfiles:
```dockerfile
RUN adduser --disabled-password --gecos '' appuser
USER appuser
HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/health || exit 1
```
## CI/CD Security
No CI/CD pipeline files found in the repository (no `.github/workflows/`, `.gitlab-ci.yml`, `azure-pipelines.yml`, or `Jenkinsfile`). CI/CD security cannot be assessed.
**Recommendation**: When CI/CD is added, include dependency scanning, SAST, secret scanning, and image scanning steps.
## Environment Configuration
| Check | Status | Detail |
|-------|--------|--------|
| .env handling | PASS | `.env` is gitignored (root level); `e2e/.env` is tracked but contains only `COMPOSE_PROFILES=cpu` (no secrets) |
| Secrets in docker-compose | PASS | No credentials in compose files; service URLs are internal Docker network names |
| Environment separation | PASS | URLs are configurable via env vars (`LOADER_URL`, `ANNOTATIONS_URL`, `VIDEOS_DIR`, `IMAGES_DIR`) |
| Secret management | N/A | No secrets required by this service (tokens come from HTTP headers) |
## Network Security
| Check | Status | Detail |
|-------|--------|--------|
| Exposed ports | WARN | Port 8080 exposed; relies on external network controls for access restriction |
| TLS configuration | FAIL | No TLS termination in the application; `CMD` runs uvicorn without `--ssl-*` flags |
| CORS | WARN | No CORSMiddleware configured — browser clients cannot make cross-origin requests (may be intentional if behind API gateway) |
| Security headers | FAIL | No security headers middleware (see SAST findings) |
## .gitignore Review
| Check | Status | Detail |
|-------|--------|--------|
| .env files excluded | PASS | `.env`, `.env.*` patterns in .gitignore |
| Credentials excluded | PASS | `.cursor/mcp.json` excluded |
| Binary files excluded | PASS | `.onnx`, media formats excluded |
| Build artifacts excluded | PASS | `build/`, `dist/`, `*.so`, `*.egg-info/` excluded |
## Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Medium | 3 (root containers x2, no TLS) |
| Low | 3 (no healthcheck x2, no CORS config) |
Reference in New Issue View Git Blame Copy Permalink