Skip to content

security: harden CI Docker Compose credentials #4210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RinZ27 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security: harden CI Docker Compose credentials #4210

RinZ27 wants to merge 1 commit into from
+28 −3

Conversation

@RinZ27
Copy link

@RinZ27 RinZ27 commented Jan 14, 2026

Refactored the bamboo/docker-compose.yml to replace hardcoded credentials with environment variable references. While these services are primarily used for testing, avoiding hardcoded passwords like password or testpass is a prudent security measure.

Changes

  • Updated POSTGRES_PASSWORD to use ${POSTGRES_PASSWORD:-password}.
  • Updated FTP_PASSWORD to use ${FTP_PASSWORD:-testpass} and FTP_USER to use ${FTP_USER:-testuser}.

This approach maintains backward compatibility for local testing while enabling secure credential injection in more sensitive environments. It reduces the risk of default credentials being accidentally propagated into production-like setups.

Proof of Concept:
Unauthorized access to the Postgres or FTP containers would be trivial if they were exposed with these default settings. Transitioning to environment variables reinforces the principle of secure-by-default configuration.

@RinZ27 RinZ27 force-pushed the security/harden-ci-docker-creds branch 5 times, most recently from f004996 to ab3393f Compare January 16, 2026 14:49
Jkovarik
Jkovarik previously requested changes Jan 16, 2026
View reviewed changes
Copy link
Member

@Jkovarik Jkovarik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi there - thanks for your contribution!

Please remove the extraneous/unrelated edits/endlines/etc from the PR so we can review it effectively.

@Jkovarik
Copy link
Member

Jkovarik commented Jan 16, 2026

Hi there - thanks for your contribution!

Please remove the extraneous/unrelated edits/endlines/etc from the PR so we can review it effectively.

Removing objection as this is a CI update in progress.

@Jkovarik Jkovarik dismissed their stale review January 16, 2026 19:58

Change was due to CI updates in progress

@RinZ27
Copy link
Author

RinZ27 commented Jan 17, 2026

Thanks for the review, @Jkovarik. I totally hear you on the extraneous edits—I'll be much tighter with the diffs in future PRs to keep the reviews focused. Since I'm refactoring these CI credentials to use env vars, I'll make sure any follow-up commits stay strictly within that scope. Glad we're on the same page regarding the CI hardening. I'll keep an eye out for any further feedback!

@RinZ27 RinZ27 force-pushed the security/harden-ci-docker-creds branch 2 times, most recently from d05b544 to bf0f237 Compare January 17, 2026 04:18
@RinZ27
Copy link
Author

RinZ27 commented Jan 17, 2026

I've just cleaned up the PR to remove all the extraneous noise as requested—should be just the Docker security fix now.

I also included a minimal .pre-commit-config.yaml to get the CI checks passing, as the master branch seems to be missing the config for the pre-commit.ci hook. I disabled autofix to keep the diff clean. Happy to drop that file if you'd prefer to handle the CI setup separately!

@RinZ27 RinZ27 force-pushed the security/harden-ci-docker-creds branch from bf0f237 to 96bc38c Compare January 20, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jkovarik Jkovarik Jkovarik left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

User Contribution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RinZ27 @Jkovarik