# Infrastructure Security Review **Date**: 2026-05-07 **Scope**: Dockerfiles, compose files, environment templates, GitHub Actions **Result**: PASS_WITH_WARNINGS ## Reviewed Artifacts - `deployment/docker/Dockerfile.runtime` - `deployment/docker/Dockerfile.replay` - `docker-compose.yml` - `docker-compose.test.yml` - `.github/workflows/ci.yml` - `.env.example` - `config/development/runtime.env` - `config/ci/runtime.env` - `config/jetson/runtime.env` ## Findings | ID | Severity | Category | Location | Title | |----|----------|----------|----------|-------| | I1 | Medium | Security Misconfiguration | `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5` | Default Postgres password and exposed host port need stronger dev/prod separation | | I2 | Low | CI/CD Hardening | `.github/workflows/ci.yml` | CI lacks dependency audit / secret scan / SAST gates | ## Finding Details ### I1: Default Postgres password and exposed host port need stronger dev/prod separation `docker-compose.yml` uses `POSTGRES_PASSWORD=gpsd`, publishes `5432:5432`, and points runtime at `.env.example`, which embeds the same example credentials in `GPSD_DATABASE_URL`. **Impact**: Safe enough for local development if never deployed, but risky if copied into staging, Jetson, or field environments. **Remediation**: Move credentials into an ignored local `.env`, document `docker-compose.yml` as development-only, bind local Postgres to loopback, and require production/Jetson credentials from a secret manager or deployment-time secret source. ### I2: CI lacks dependency audit / secret scan / SAST gates `.github/workflows/ci.yml` runs format, lint, unit tests, and compose config validation, but it does not run dependency audit, secret scanning, or SAST. **Impact**: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits. **Remediation**: Add `pip-audit` for Python dependencies, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules when the project adopts them. ## Positive Controls - Runtime and replay Dockerfiles create and run as a non-root `gpsd` user. - Runtime image copies only project source and `pyproject.toml`/`README.md`, not `.env` or fixture payloads. - `docker-compose.test.yml` keeps replay/SITL/cache stubs on isolated compose networks and exposes no host ports. - `config/jetson/runtime.env` contains paths and mode labels only; it does not include embedded passwords or signing keys.