-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathenv.example
More file actions
200 lines (168 loc) · 8.13 KB
/
env.example
File metadata and controls
200 lines (168 loc) · 8.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# =============================================================================
# SimpleSecCheck Refactored Environment Variables
# =============================================================================
# This file contains the environment variables for the refactored Docker Compose setup
# Copy this file to .env and adjust values as needed
# =============================================================================
# -----------------------------------------------------------------------------
# ENVIRONMENT MODE
# -----------------------------------------------------------------------------
# Optional: ENVIRONMENT=test only for pytest. Do not set for normal runs.
# -----------------------------------------------------------------------------
# DATABASE CONFIGURATION
# -----------------------------------------------------------------------------
# PostgreSQL (Required). Do not set DATABASE_URL — backend/worker/scanner use POSTGRES_* only.
POSTGRES_PASSWORD=your_strong_password_here
POSTGRES_DB=simpleseccheck
POSTGRES_USER=ssc_user
POSTGRES_HOST=postgres
POSTGRES_PORT=5432
# false = plain TCP (default in Compose; avoids client SSL cert paths). true = TLS for remote/managed Postgres.
POSTGRES_SSL=false
# -----------------------------------------------------------------------------
# REDIS CONFIGURATION (NEW - Phase 1)
# -----------------------------------------------------------------------------
# Redis connection string for queue management
REDIS_URL=redis://redis:6379
# Redis configuration (optional)
REDIS_MAXMEMORY=256mb
REDIS_MAXMEMORY_POLICY=allkeys-lru
# -----------------------------------------------------------------------------
# CONTAINER USER CONFIGURATION
# -----------------------------------------------------------------------------
# Container UID/GID for volume permissions (match your host user)
PUID=1000
PGID=1000
# -----------------------------------------------------------------------------
# SCANNER CONFIGURATION
# -----------------------------------------------------------------------------
# Scanner target (for manual CLI runs)
SCAN_TARGET=
# Scanner resource limits
SCANNER_CPU_LIMIT=4.0
SCANNER_MEMORY_LIMIT=8G
SCANNER_CPU_RESERVATION=1.0
SCANNER_MEMORY_RESERVATION=2G
# -----------------------------------------------------------------------------
# WORKER CONFIGURATION (NEW - Phase 1)
# -----------------------------------------------------------------------------
# Scanner worker: queue is always Redis (no QUEUE_TYPE). Redis URL:
QUEUE_CONNECTION=redis://redis:6379
# -----------------------------------------------------------------------------
# BACKEND CONFIGURATION
# -----------------------------------------------------------------------------
# Backend service settings
SIMPLESECCHECK_ROOT=/app
SCANNER_WORKER_ENABLED=false
SCANNER_PROXY_MODE=false
SESSION_MANAGEMENT=true
QUEUE_ENABLED=true
METADATA_COLLECTION=always
ONLY_GIT_SCANS=true
# -----------------------------------------------------------------------------
# FRONTEND CONFIGURATION
# -----------------------------------------------------------------------------
# Frontend service settings
API_BASE_URL=http://backend:8080
# -----------------------------------------------------------------------------
# SECURITY / AUTH (Required – no defaults in code)
# -----------------------------------------------------------------------------
# JWT signing key (required for login/refresh)
JWT_SECRET_KEY=your_jwt_secret_min_32_chars
# Application secret (required — separate from JWT)
SECRET_KEY=your_app_secret_min_32_chars
# Session/guest cookie signing (required)
SESSION_SECRET=your_session_secret_min_32_chars
# -----------------------------------------------------------------------------
# API TOKENS (Optional)
# -----------------------------------------------------------------------------
# OWASP Dependency Check: NVD API token (reduces rate limits)
NVD_API_KEY=
# Optional: Sonatype OSS Index — exit 14 "Failed to request component-reports" = API/rate limit.
# Set OSS_INDEX_URL or OSS_INDEX_TOKEN if your OWASP DC version supports it; else retry or use NVD only.
# Snyk Token for Snyk vulnerability scanning
SNYK_TOKEN=
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Session Configuration
# -----------------------------------------------------------------------------
# Session duration in seconds (default: 86400 = 24 hours)
SESSION_DURATION=86400
# Session cookie configuration
SESSION_COOKIE_NAME=session_id
SESSION_HEADER_NAME=X-Session-ID
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Queue Configuration
# -----------------------------------------------------------------------------
# Maximum queue length
MAX_QUEUE_LENGTH=1000
# Worker: parallel scans = DB (Admin/Setup). Nur setzen, wenn du die DB ignorieren willst:
# MAX_CONCURRENT_JOBS=3
# Wenn gesetzt, überschreibt das ALLE Admin-Werte — für Benchmark mit 2/3 Slots Zeile entfernen!
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Rate Limiting
# -----------------------------------------------------------------------------
# Rate limits per session
RATE_LIMIT_PER_SESSION_SCANS=10
RATE_LIMIT_PER_SESSION_REQUESTS=100
# Rate limits per IP address
RATE_LIMIT_PER_IP_SCANS=50
RATE_LIMIT_PER_IP_REQUESTS=1000
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Size Limits
# -----------------------------------------------------------------------------
# Maximum ZIP upload size
MAX_ZIP_UPLOAD_SIZE=100M
# Maximum Git repository size
MAX_GIT_REPO_SIZE=500M
# Maximum disk usage per scan
MAX_SCAN_DISK_USAGE=2G
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Scan Deduplication
# -----------------------------------------------------------------------------
# Age in days for scan deduplication
SCAN_DEDUPLICATION_AGE_DAYS=7
# -----------------------------------------------------------------------------
# PRODUCTION ONLY - Optional Features
# -----------------------------------------------------------------------------
# Enable statistics collection
STATISTICS_ENABLED=true
# Enable ZIP upload feature (security note: allows arbitrary code upload)
ZIP_UPLOAD_ENABLED=false
# CORS allowed origins (comma-separated, empty = no CORS)
CORS_ALLOWED_ORIGINS=
# -----------------------------------------------------------------------------
# DEVELOPMENT ONLY - Optional Overrides
# -----------------------------------------------------------------------------
# Development size limits (more generous than Production)
# MAX_ZIP_UPLOAD_SIZE=500M
# MAX_GIT_REPO_SIZE=1G
# MAX_SCAN_DISK_USAGE=5G
# -----------------------------------------------------------------------------
# QUEUE CLEANUP (Always Enabled)
# -----------------------------------------------------------------------------
# Automatic cleanup of old completed/failed queue items
QUEUE_CLEANUP_INTERVAL_HOURS=24
QUEUE_CLEANUP_MAX_AGE_DAYS=7
# -----------------------------------------------------------------------------
# CHECKOV (scanner container, optional)
# -----------------------------------------------------------------------------
# CHECKOV_FILES_PER_BATCH=80
# CHECKOV_SKIP_FRAMEWORKS=secrets,cdk,arm # comma-separated --skip-framework; omit = skip none
# =============================================================================
# MIGRATION NOTES
# =============================================================================
#
# Key changes from original configuration:
#
# 1. Added REDIS_URL for queue management
# 2. Added WORKER_* variables for scanner worker configuration
# 3. QUEUE_CONNECTION / REDIS_URL for the worker queue (always Redis)
# 4. Added API_BASE_URL for frontend-backend communication
# 5. Removed SCANNER_WORKER_ENABLED from backend (now handled by separate worker service)
# 6. Parallel worker jobs from DB / MAX_CONCURRENT_JOBS
#
# To migrate from original setup:
# 1. Copy your existing .env file
# 2. Add the new Redis and Worker configuration variables
# 3. Update any hardcoded database URLs to use the new variables
# 4. Test the new configuration with: docker compose -f docker-compose.refactored.yml up