azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-21 10:21:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ee6606a9c28c24da145c7e421b9af8b1ce9cc329
gps-denied-onboard/_docs/05_security/infrastructure_review.md
T
Oleksandr Bezdieniezhnykh ee6606a9c2 [AZ-243] Record security audit 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-07 03:40:36 +03:00

2.5 KiB
Raw Blame History

Infrastructure Security Review

Date: 2026-05-07 Scope: Dockerfiles, compose files, environment templates, GitHub Actions Result: PASS_WITH_WARNINGS

Reviewed Artifacts

  • deployment/docker/Dockerfile.runtime
  • deployment/docker/Dockerfile.replay
  • docker-compose.yml
  • docker-compose.test.yml
  • .github/workflows/ci.yml
  • .env.example
  • config/development/runtime.env
  • config/ci/runtime.env
  • config/jetson/runtime.env

Findings

ID Severity Category Location Title
I1 Medium Security Misconfiguration docker-compose.yml:7, docker-compose.yml:9, .env.example:5 Default Postgres password and exposed host port need stronger dev/prod separation
I2 Low CI/CD Hardening .github/workflows/ci.yml CI lacks dependency audit / secret scan / SAST gates

Finding Details

I1: Default Postgres password and exposed host port need stronger dev/prod separation

docker-compose.yml uses POSTGRES_PASSWORD=gpsd, publishes 5432:5432, and points runtime at .env.example, which embeds the same example credentials in GPSD_DATABASE_URL.

Impact: Safe enough for local development if never deployed, but risky if copied into staging, Jetson, or field environments.

Remediation: Move credentials into an ignored local .env, document docker-compose.yml as development-only, bind local Postgres to loopback, and require production/Jetson credentials from a secret manager or deployment-time secret source.

I2: CI lacks dependency audit / secret scan / SAST gates

.github/workflows/ci.yml runs format, lint, unit tests, and compose config validation, but it does not run dependency audit, secret scanning, or SAST.

Impact: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits.

Remediation: Add pip-audit for Python dependencies, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules when the project adopts them.

Positive Controls

  • Runtime and replay Dockerfiles create and run as a non-root gpsd user.
  • Runtime image copies only project source and pyproject.toml/README.md, not .env or fixture payloads.
  • docker-compose.test.yml keeps replay/SITL/cache stubs on isolated compose networks and exposes no host ports.
  • config/jetson/runtime.env contains paths and mode labels only; it does not include embedded passwords or signing keys.
Reference in New Issue View Git Blame Copy Permalink