Rotate and remove hardcoded credentials from docker-compose.yml #3

New Issue

Open

opened 2026-04-20 09:33:56 +00:00 by sharang · 0 comments

sharang commented 2026-04-20 09:33:56 +00:00

Owner

Copy Link

Copy Source

Problem

docker-compose.yml contains production secrets committed to version control:

• Qdrant API key: hardcoded at line 154
• MinIO access/secret key: lines 184-185
• PostgreSQL password breakpilot123: line 98
• JWT_SECRET default your-super-secret-jwt-key-change-in-production
• Same Qdrant key appears in .gitea/workflows/rag-ingest.yaml

Any person with repo access — or anyone who has ever cloned it — has these credentials.

Required Actions

1. Rotate immediately: Qdrant API key, MinIO credentials, DB password
2. Replace all hardcoded values in docker-compose.yml with ${VAR} placeholders
3. Remove credentials from rag-ingest.yaml CI workflow; use Gitea Actions secrets instead
4. Add a gitleaks pre-commit hook entry to prevent future commits of these patterns
5. Verify no other compose or workflow files contain secrets

Acceptance Criteria

• gitleaks detect --source . --no-git exits 0
• docker-compose.yml contains zero literal secret values
• All secrets injected exclusively via Vault or CI/CD secret store at runtime

## Problem docker-compose.yml contains production secrets committed to version control: - Qdrant API key: hardcoded at line 154 - MinIO access/secret key: lines 184-185 - PostgreSQL password `breakpilot123`: line 98 - JWT_SECRET default `your-super-secret-jwt-key-change-in-production` - Same Qdrant key appears in .gitea/workflows/rag-ingest.yaml Any person with repo access — or anyone who has ever cloned it — has these credentials. ## Required Actions 1. **Rotate immediately**: Qdrant API key, MinIO credentials, DB password 2. Replace all hardcoded values in docker-compose.yml with `${VAR}` placeholders 3. Remove credentials from rag-ingest.yaml CI workflow; use Gitea Actions secrets instead 4. Add a gitleaks pre-commit hook entry to prevent future commits of these patterns 5. Verify no other compose or workflow files contain secrets ## Acceptance Criteria - `gitleaks detect --source . --no-git` exits 0 - docker-compose.yml contains zero literal secret values - All secrets injected exclusively via Vault or CI/CD secret store at runtime

sharang added this to the M1: Security Foundation milestone 2026-04-20 09:33:56 +00:00

sharang added the severity: criticalsecurityconfig labels 2026-04-20 09:33:56 +00:00

Benjamin_Boenisch referenced this issue from a commit 2026-05-11 09:51:36 +00:00

refactor: Paket 2 Analyse umstrukturiert + AI Act/Evidence verschoben

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/fisa-702-drittland-risiko

feat/dead-code-cleanup

feature/payment-compliance-module

feature/betriebsrat-compliance-module

last-build/main

Labels

Clear labels

config

Env vars, secrets management, startup validation

data-integrity

Transactions, indexes, pagination

frontend

Next.js, client-side concerns

observability

Logging, audit trails, health checks

reliability

Error handling, retries, circuit breakers

security

Auth, secrets, injection, tenant isolation

severity: critical

System-level risk, data breach or full outage

severity: high

Significant risk, must fix before go-live

severity: medium

Important but not blocking go-live

testing

Test coverage, integration tests

No Label config security severity: critical

Milestone

No items

No Milestone M1: Security Foundation

Projects

Clear projects

No project

Assignees

Clear assignees

sharang (Sharang Parnerkar) Benjamin_Boenisch

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#3