Problem
PR #1930 added no-new-privileges:true and resource limits, but standard Docker hardening measures are missing:
- No
read_only: true filesystem restriction on any service
- No
cap_drop: [ALL] with selective cap_add
- No
tmpfs mounts for /tmp or /var/run
These are standard Docker production security practices that limit container escape surface area.
Discovered During
Code review of PR #1930 (Finding 6)
Fix
Add for stateless services (at minimum frontend, prometheus, grafana):
```yaml
read_only: true
tmpfs:
- /tmp
- /var/run
cap_drop:
- ALL
```
For stateful services (redis, postgres, backend), add cap_drop: [ALL] with selective cap_add for required capabilities.
Impact
Severity: medium — Defense-in-depth hardening.
Problem
PR #1930 added
no-new-privileges:trueand resource limits, but standard Docker hardening measures are missing:read_only: truefilesystem restriction on any servicecap_drop: [ALL]with selectivecap_addtmpfsmounts for/tmpor/var/runThese are standard Docker production security practices that limit container escape surface area.
Discovered During
Code review of PR #1930 (Finding 6)
Fix
Add for stateless services (at minimum frontend, prometheus, grafana):
```yaml
read_only: true
tmpfs:
cap_drop:
```
For stateful services (redis, postgres, backend), add
cap_drop: [ALL]with selectivecap_addfor required capabilities.Impact
Severity: medium — Defense-in-depth hardening.