Problem Statement
Four docker-compose files and two CI workflows hardcode DB_PASSWORD=password and POSTGRES_PASSWORD=password. Production config (docker-compose.quantara.yaml) correctly uses ${DB_PASSWORD} but dev configs use literal strings.
Evidence
devops/docker-compose.quantara.dev.yaml:30 — DB_PASSWORD=passworddevops/docker-compose.quantara.back.yaml:32 — DB_PASSWORD=passworddevops/docker-compose.quantara.dev-windows.yaml:30 — DB_PASSWORD=password.github/workflows/ci.yml:37,52 — POSTGRES_PASSWORD: password, DB_PASSWORD: password.github/workflows/integration-tests.yml:37,52 — same pattern
# Production config correctly uses env var (docker-compose.quantara.yaml:50):
POSTGRES_PASSWORD: ${DB_PASSWORD}Impact
High — credential leakage risk. If a developer copies dev config pattern to production, database has known password "password". CI passwords could appear in build logs accessible to anyone with repo access. Inconsistency between dev/prod creates confusion.
Proposed Solution
Change all dev docker-compose files to use ${DB_PASSWORD:-password} syntax, providing default fallback but reading from environment if set. Adds DB_PASSWORD=password to .env.dev for explicit dev defaults.
Acceptance Criteria
File Map
devops/docker-compose.quantara.dev.yaml:30 — change to ${DB_PASSWORD:-password}devops/docker-compose.quantara.back.yaml:32 — same changedevops/docker-compose.quantara.dev-windows.yaml:30 — same changequantara/.env.dev — ensure DB_PASSWORD=password set
Testing Strategy
- Integration: Run
docker compose -f devops/docker-compose.quantara.dev.yaml up -d with and without DB_PASSWORD env var
- Manual: Set
DB_PASSWORD=testpass, run compose, verify PostgreSQL receives testpass
Security Considerations
Medium improvement. Establishes consistent env-var-driven pattern across all environments. Dev default of password acceptable for local dev only (database not exposed externally).
Definition of Done
Labels: security, quick-win
Priority: High
Difficulty: Beginner
Estimated Effort: 1h
Problem Statement
Four docker-compose files and two CI workflows hardcode
DB_PASSWORD=passwordandPOSTGRES_PASSWORD=password. Production config (docker-compose.quantara.yaml) correctly uses${DB_PASSWORD}but dev configs use literal strings.Evidence
devops/docker-compose.quantara.dev.yaml:30—DB_PASSWORD=passworddevops/docker-compose.quantara.back.yaml:32—DB_PASSWORD=passworddevops/docker-compose.quantara.dev-windows.yaml:30—DB_PASSWORD=password.github/workflows/ci.yml:37,52—POSTGRES_PASSWORD: password,DB_PASSWORD: password.github/workflows/integration-tests.yml:37,52— same patternImpact
High — credential leakage risk. If a developer copies dev config pattern to production, database has known password "password". CI passwords could appear in build logs accessible to anyone with repo access. Inconsistency between dev/prod creates confusion.
Proposed Solution
Change all dev docker-compose files to use
${DB_PASSWORD:-password}syntax, providing default fallback but reading from environment if set. AddsDB_PASSWORD=passwordto.env.devfor explicit dev defaults.Acceptance Criteria
${DB_PASSWORD:-password}instead of hardcodedpassword.env.devcontainsDB_PASSWORD=passwordmake devstill works without additional configurationFile Map
devops/docker-compose.quantara.dev.yaml:30— change to${DB_PASSWORD:-password}devops/docker-compose.quantara.back.yaml:32— same changedevops/docker-compose.quantara.dev-windows.yaml:30— same changequantara/.env.dev— ensureDB_PASSWORD=passwordsetTesting Strategy
docker compose -f devops/docker-compose.quantara.dev.yaml up -dwith and withoutDB_PASSWORDenv varDB_PASSWORD=testpass, run compose, verify PostgreSQL receivestestpassSecurity Considerations
Medium improvement. Establishes consistent env-var-driven pattern across all environments. Dev default of
passwordacceptable for local dev only (database not exposed externally).Definition of Done
make dev)Labels: security, quick-win
Priority: High
Difficulty: Beginner
Estimated Effort: 1h