mirror of
https://github.com/azaion/detections.git
synced 2026-04-22 21:46:31 +00:00
Oleksandr Bezdieniezhnykh
be4cab4fcb
- Added `/detect/video` endpoint for true streaming video detection, allowing inference to start as upload bytes arrive. - Introduced `run_detect_video_stream` method in the inference module to handle video processing from a file-like object. - Updated media hashing to include a new function for computing hashes directly from files with minimal I/O. - Enhanced documentation to reflect changes in video processing and API behavior. Made-with: Cursor
3.1 KiB
3.1 KiB
Configuration & Infrastructure Review
Date: 2026-03-31 Scope: Dockerfiles, docker-compose files, .env, .gitignore
Container Security
Dockerfile (CPU)
| Check | Status | Detail |
|---|---|---|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | PASS | Uses python:3.11-slim |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | rm -rf /var/lib/apt/lists/* |
| No-cache pip install | PASS | --no-cache-dir |
| Health check | FAIL | No HEALTHCHECK directive |
Dockerfile.gpu
| Check | Status | Detail |
|---|---|---|
| Non-root user | FAIL | Runs as root (no USER directive) |
| Minimal base image | WARN | Uses nvidia/cuda:12.2.0-runtime-ubuntu22.04 (necessary for GPU, but large) |
| No secrets in build args | PASS | No ARG with secrets |
| apt cache cleaned | PASS | rm -rf /var/lib/apt/lists/* |
| No-cache pip install | PASS | --no-cache-dir |
| Health check | FAIL | No HEALTHCHECK directive |
Remediation
Add to both Dockerfiles:
RUN adduser --disabled-password --gecos '' appuser
USER appuser
HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/health || exit 1
CI/CD Security
No CI/CD pipeline files found in the repository (no .github/workflows/, .gitlab-ci.yml, azure-pipelines.yml, or Jenkinsfile). CI/CD security cannot be assessed.
Recommendation: When CI/CD is added, include dependency scanning, SAST, secret scanning, and image scanning steps.
Environment Configuration
| Check | Status | Detail |
|---|---|---|
| .env handling | PASS | .env is gitignored (root level); e2e/.env is tracked but contains only COMPOSE_PROFILES=cpu (no secrets) |
| Secrets in docker-compose | PASS | No credentials in compose files; service URLs are internal Docker network names |
| Environment separation | PASS | URLs are configurable via env vars (LOADER_URL, ANNOTATIONS_URL, VIDEOS_DIR, IMAGES_DIR) |
| Secret management | N/A | No secrets required by this service (tokens come from HTTP headers) |
Network Security
| Check | Status | Detail |
|---|---|---|
| Exposed ports | WARN | Port 8080 exposed; relies on external network controls for access restriction |
| TLS configuration | FAIL | No TLS termination in the application; CMD runs uvicorn without --ssl-* flags |
| CORS | WARN | No CORSMiddleware configured — browser clients cannot make cross-origin requests (may be intentional if behind API gateway) |
| Security headers | FAIL | No security headers middleware (see SAST findings) |
.gitignore Review
| Check | Status | Detail |
|---|---|---|
| .env files excluded | PASS | .env, .env.* patterns in .gitignore |
| Credentials excluded | PASS | .cursor/mcp.json excluded |
| Binary files excluded | PASS | .onnx, media formats excluded |
| Build artifacts excluded | PASS | build/, dist/, *.so, *.egg-info/ excluded |
Summary
| Severity | Count |
|---|---|
| Critical | 0 |
| High | 0 |
| Medium | 3 (root containers x2, no TLS) |
| Low | 3 (no healthcheck x2, no CORS config) |