Jayden/AFFiNE-Mirror
1
0
Fork 0
mirror of https://github.com/toeverything/AFFiNE.git synced 2026-02-04 08:38:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7040fe3e7578b006c2fc8a9ba23c63af7fac0399
AFFiNE-Mirror/.devcontainer/docker-compose.yml
OrbisAI Sec b5ebd20314 fix(core): prevent container privilege escalation in .devcontainer/docker-compose.yml (#13814) 
**Context and Purpose:**

This PR automatically remediates a security vulnerability:
- **Description:** Service 'app' allows for privilege escalation via
setuid or setgid binaries. Add 'no-new-privileges:true' in
'security_opt' to prevent this.
- **Rule ID:**
yaml.docker-compose.security.no-new-privileges.no-new-privileges
- **Severity:** HIGH
- **File:** .devcontainer/docker-compose.yml
- **Lines Affected:** 4 - 4

This change is necessary to protect the application from potential
security risks associated with this vulnerability.

**Solution Implemented:**

The automated remediation process has applied the necessary changes to
the affected code in `.devcontainer/docker-compose.yml` to resolve the
identified issue.

Please review the changes to ensure they are correct and integrate as
expected.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Enhanced security configuration for the development environment.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-10-28 13:34:04 +08:00

45 lines
993 B
YAML
Raw Blame History

version: '3.8'
services:
app:
security_opt:
- no-new-privileges:true
image: mcr.microsoft.com/devcontainers/base:bookworm
volumes:
- ../..:/workspaces:cached
command: sleep infinity
network_mode: service:db
environment:
DATABASE_URL: postgresql://affine:affine@db:5432/affine
REDIS_SERVER_HOST: redis
AFFINE_INDEXER_SEARCH_ENDPOINT: http://indexer:9308
db:
image: pgvector/pgvector:pg16
restart: unless-stopped
volumes:
- postgres-data:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: affine
POSTGRES_USER: affine
POSTGRES_DB: affine
redis:
image: redis
indexer:
image: manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}
ulimits:
nproc: 65535
nofile:
soft: 65535
hard: 65535
memlock:
soft: -1
hard: -1
volumes:
- manticoresearch_data:/var/lib/manticore
volumes:
postgres-data:
manticoresearch_data:
Reference in New Issue View Git Blame Copy Permalink