azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-22 09:21:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ee6606a9c28c24da145c7e421b9af8b1ce9cc329
gps-denied-onboard/_docs/05_security/infrastructure_review.md
T
Oleksandr Bezdieniezhnykh ee6606a9c2 [AZ-243] Record security audit 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-07 03:40:36 +03:00

50 lines
2.5 KiB
Markdown
Raw Blame History

# Infrastructure Security Review
**Date**: 2026-05-07
**Scope**: Dockerfiles, compose files, environment templates, GitHub Actions
**Result**: PASS_WITH_WARNINGS
## Reviewed Artifacts
- `deployment/docker/Dockerfile.runtime`
- `deployment/docker/Dockerfile.replay`
- `docker-compose.yml`
- `docker-compose.test.yml`
- `.github/workflows/ci.yml`
- `.env.example`
- `config/development/runtime.env`
- `config/ci/runtime.env`
- `config/jetson/runtime.env`
## Findings
| ID | Severity | Category | Location | Title |
|----|----------|----------|----------|-------|
| I1 | Medium | Security Misconfiguration | `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5` | Default Postgres password and exposed host port need stronger dev/prod separation |
| I2 | Low | CI/CD Hardening | `.github/workflows/ci.yml` | CI lacks dependency audit / secret scan / SAST gates |
## Finding Details
### I1: Default Postgres password and exposed host port need stronger dev/prod separation
`docker-compose.yml` uses `POSTGRES_PASSWORD=gpsd`, publishes `5432:5432`, and points runtime at `.env.example`, which embeds the same example credentials in `GPSD_DATABASE_URL`.
**Impact**: Safe enough for local development if never deployed, but risky if copied into staging, Jetson, or field environments.
**Remediation**: Move credentials into an ignored local `.env`, document `docker-compose.yml` as development-only, bind local Postgres to loopback, and require production/Jetson credentials from a secret manager or deployment-time secret source.
### I2: CI lacks dependency audit / secret scan / SAST gates
`.github/workflows/ci.yml` runs format, lint, unit tests, and compose config validation, but it does not run dependency audit, secret scanning, or SAST.
**Impact**: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits.
**Remediation**: Add `pip-audit` for Python dependencies, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules when the project adopts them.
## Positive Controls
- Runtime and replay Dockerfiles create and run as a non-root `gpsd` user.
- Runtime image copies only project source and `pyproject.toml`/`README.md`, not `.env` or fixture payloads.
- `docker-compose.test.yml` keeps replay/SITL/cache stubs on isolated compose networks and exposes no host ports.
- `config/jetson/runtime.env` contains paths and mode labels only; it does not include embedded passwords or signing keys.
Reference in New Issue View Git Blame Copy Permalink