From 60977df6020cbebd1d9eced560065d303fd101cf Mon Sep 17 00:00:00 2001 From: Naman Singh Date: Wed, 8 Jul 2026 21:45:03 +0530 Subject: [PATCH] fix: remove hardcoded PostgreSQL credentials from docker-compose.yml The docker-compose.yml had POSTGRES_USER and POSTGRES_PASSWORD hardcoded as 'secuscan', which is a critical security issue in any deployment where the PostgreSQL port is exposed beyond localhost. Changes: - Replace hardcoded credentials with environment variable references that must be set at deploy time (SECUSCAN_POSTGRES_USER, SECUSCAN_POSTGRES_PASSWORD, SECUSCAN_POSTGRES_DB) - Add sensible defaults for user and database name - Use mandatory-variable syntax for the password so docker-compose refuses to start without it - Update the api service's SECUSCAN_POSTGRES_DSN to use the same environment variable references - Document the new variables in .env.example with a strong-password generation hint --- .env.example | 6 ++++++ docker-compose.yml | 10 +++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.env.example b/.env.example index efc2542dd..fa24c7051 100644 --- a/.env.example +++ b/.env.example @@ -12,6 +12,12 @@ SECUSCAN_BIND_PORT=8000 # SECUSCAN_REDIS_URL=redis://127.0.0.1:6379/0 # SECUSCAN_CACHE_TTL_SECONDS=30 +# PostgreSQL — REQUIRED when using docker-compose (not for SQLite dev) +# Generate a strong password with: python -c "import secrets; print(secrets.token_urlsafe(32))" +# SECUSCAN_POSTGRES_USER=secuscan +# SECUSCAN_POSTGRES_DB=secuscan +# SECUSCAN_POSTGRES_PASSWORD= + # Docker Support SECUSCAN_DOCKER_ENABLED=false # Docker sandbox network (auto-created if absent; ICC disabled for isolation) diff --git a/docker-compose.yml b/docker-compose.yml index 307932d9e..b1f452b18 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,15 +3,15 @@ services: postgres: image: postgres:16-alpine environment: - POSTGRES_DB: secuscan - POSTGRES_USER: secuscan - POSTGRES_PASSWORD: secuscan + POSTGRES_DB: ${SECUSCAN_POSTGRES_DB:-secuscan} + POSTGRES_USER: ${SECUSCAN_POSTGRES_USER:-secuscan} + POSTGRES_PASSWORD: ${SECUSCAN_POSTGRES_PASSWORD:?Set SECUSCAN_POSTGRES_PASSWORD to a strong password} ports: - "127.0.0.1:5432:5432" volumes: - postgres_data:/var/lib/postgresql/data healthcheck: - test: ["CMD-SHELL", "pg_isready -U secuscan -d secuscan"] + test: ["CMD-SHELL", "pg_isready -U ${SECUSCAN_POSTGRES_USER:-secuscan} -d ${SECUSCAN_POSTGRES_DB:-secuscan}"] interval: 10s timeout: 5s retries: 5 @@ -43,7 +43,7 @@ services: environment: - SECUSCAN_BIND_ADDRESS=0.0.0.0 # fix: was 127.0.0.1, unreachable inside Docker - SECUSCAN_BIND_PORT=8081 - - SECUSCAN_POSTGRES_DSN=postgresql://secuscan:secuscan@postgres:5432/secuscan + - SECUSCAN_POSTGRES_DSN=postgresql://${SECUSCAN_POSTGRES_USER:-secuscan}:${SECUSCAN_POSTGRES_PASSWORD:?}@postgres:5432/${SECUSCAN_POSTGRES_DB:-secuscan} - SECUSCAN_REDIS_URL=redis://redis:6379/0 - SECUSCAN_PLUGINS_DIR=/app/plugins depends_on: