From 3774c3dca7444c74d479e2056b626ce9c535498b Mon Sep 17 00:00:00 2001 From: Dave Date: Sat, 21 Mar 2026 20:57:07 +0000 Subject: [PATCH] storkit: done 359_story_harden_docker_setup_for_security --- ..._story_harden_docker_setup_for_security.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .storkit/work/5_done/359_story_harden_docker_setup_for_security.md diff --git a/.storkit/work/5_done/359_story_harden_docker_setup_for_security.md b/.storkit/work/5_done/359_story_harden_docker_setup_for_security.md new file mode 100644 index 0000000..3a26a82 --- /dev/null +++ b/.storkit/work/5_done/359_story_harden_docker_setup_for_security.md @@ -0,0 +1,28 @@ +--- +name: "Harden Docker setup for security" +retry_count: 3 +blocked: true +--- + +# Story 359: Harden Docker setup for security + +## User Story + +As a storkit operator, I want the Docker container to run with hardened security settings, so that a compromised agent or malicious codebase cannot escape the container or affect the host. + +## Acceptance Criteria + +- [ ] Container runs as a non-root user +- [ ] Root filesystem is read-only with only necessary paths writable (e.g. /tmp, cargo cache, claude state volumes) +- [ ] Linux capabilities dropped to minimum required (cap_drop: ALL, add back only what's needed) +- [ ] no-new-privileges flag is set +- [ ] Resource limits (CPU and memory) are configured in docker-compose.yml +- [ ] Outbound network access is restricted where possible +- [ ] ANTHROPIC_API_KEY is passed via Docker secrets or .env file, not hardcoded in compose +- [ ] Image passes a CVE scan with no critical vulnerabilities +- [ ] Port binding uses 127.0.0.1 instead of 0.0.0.0 (e.g. "127.0.0.1:3001:3001") so the web UI is not exposed on all interfaces +- [ ] Git identity is configured via explicit GIT_USER_NAME and GIT_USER_EMAIL env vars; container fails loudly on startup if either is missing (note: multi-user/distributed case where different users need different identities is out of scope and will require a different solution) + +## Out of Scope + +- TBD