Skip to content

fix: remove hardcoded PostgreSQL credentials from docker-compose.yml#1972

Open
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/hardcoded-postgres-credentials
Open

fix: remove hardcoded PostgreSQL credentials from docker-compose.yml#1972
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/hardcoded-postgres-credentials

Conversation

@namann5

@namann5 namann5 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Closes #1970

Summary

Removes hardcoded default PostgreSQL credentials from docker-compose.yml, replacing them with mandatory environment variables that must be set at deploy time.

Changes

  • docker-compose.yml: Replace hardcoded POSTGRES_USER, POSTGRES_PASSWORD with \ mandatory environment variable references
  • docker-compose.yml: Update SECUSCAN_POSTGRES_DSN to use the same variable references
  • .env.example: Document the new SECUSCAN_POSTGRES_USER, SECUSCAN_POSTGRES_PASSWORD, SECUSCAN_POSTGRES_DB variables with strong-password generation hint

Why

Hardcoded credentials (secuscan/secuscan) allow trivial database compromise in any deployment where the PostgreSQL port is reachable — CVSS 9.8 (Critical).

The docker-compose.yml had POSTGRES_USER and POSTGRES_PASSWORD
hardcoded as 'secuscan', which is a critical security issue in any
deployment where the PostgreSQL port is exposed beyond localhost.

Changes:
- Replace hardcoded credentials with environment variable references
  that must be set at deploy time (SECUSCAN_POSTGRES_USER,
  SECUSCAN_POSTGRES_PASSWORD, SECUSCAN_POSTGRES_DB)
- Add sensible defaults for user and database name
- Use  mandatory-variable syntax for the password so
  docker-compose refuses to start without it
- Update the api service's SECUSCAN_POSTGRES_DSN to use the same
  environment variable references
- Document the new variables in .env.example with a strong-password
  generation hint
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Critical: Hardcoded default PostgreSQL credentials in docker-compose.yml

1 participant