Hi CDS team,
First, thank you for maintaining CDS — it's a great enterprise-grade CI/CD platform.
While reviewing example configs, we noticed a few copy-paste hazards that may leak into production environments:
1) Weak default credentials (P1)
Lines 11-12, 26:
POSTGRES_PASSWORD: cds
redis-server --requirepass cds
Risk: frequent copy/paste into non-dev deployments, enabling trivial brute-force and lateral movement.
2) Plain Docker Engine over TCP 2375 (P1)
Line 93, 279, 283:
hatchery.swarm.dockerEngines.default.host=tcp://dockerhost:2375
TCP4-LISTEN:2375,fork,reuseaddr
Risk: no TLS or auth; violates CIS Docker guidance. Interception or command injection is possible on untrusted networks.
3) EOL component in examples (P2)
Line 32:
image: docker.elastic.co/elasticsearch/elasticsearch:6.7.2
Risk: 2019 version (EOL), missing patches and compliance issues.
Proposed remediation (backward-compatible and low-noise):
- Replace hardcoded secrets with .env-driven placeholders (e.g.,
${POSTGRES_PASSWORD:?set in .env}) and add an .env.sample with CHANGE_ME values. Add a README warning box: "dev-only defaults — never use in production."
- For Docker Engine: default to
unix:///var/run/docker.sock for local, and provide a TLS 2376 example for remote (CA/cert/key), or document DOCKER_TLS_VERIFY.
- Mark Elasticsearch as dev-only, restrict binding to localhost, and document a tested path to ES 8.x or OpenSearch 2.x. At minimum, add a note about EOL and isolation.
Happy to open a PR with:
- .env.sample + docs changes
- example compose/config updates
- a lightweight CI check to prevent reintroduction of ":2375", "POSTGRES_PASSWORD=cds", and "elasticsearch:6.7.2"
If you prefer a private channel for security-related items, we can re-send via your preferred contact.
Context: we run "Configuration Security Review Team" (24h config risk review). Focus here is technical contribution; no obligations.
Thanks for considering — we can adapt to your preferred approach.
Hi CDS team,
First, thank you for maintaining CDS — it's a great enterprise-grade CI/CD platform.
While reviewing example configs, we noticed a few copy-paste hazards that may leak into production environments:
1) Weak default credentials (P1)
Lines 11-12, 26:
Risk: frequent copy/paste into non-dev deployments, enabling trivial brute-force and lateral movement.
2) Plain Docker Engine over TCP 2375 (P1)
Line 93, 279, 283:
Risk: no TLS or auth; violates CIS Docker guidance. Interception or command injection is possible on untrusted networks.
3) EOL component in examples (P2)
Line 32:
Risk: 2019 version (EOL), missing patches and compliance issues.
Proposed remediation (backward-compatible and low-noise):
${POSTGRES_PASSWORD:?set in .env}) and add an.env.samplewith CHANGE_ME values. Add a README warning box: "dev-only defaults — never use in production."unix:///var/run/docker.sockfor local, and provide a TLS 2376 example for remote (CA/cert/key), or document DOCKER_TLS_VERIFY.Happy to open a PR with:
If you prefer a private channel for security-related items, we can re-send via your preferred contact.
Context: we run "Configuration Security Review Team" (24h config risk review). Focus here is technical contribution; no obligations.
Thanks for considering — we can adapt to your preferred approach.