claude-did-this/claude-hub
1
0
Fork 1
mirror of https://github.com/claude-did-this/claude-hub.git synced 2026-02-14 19:30:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e545475d0c51b04f2df1c16fbc2c6d4d47dde3a
claude-hub/docker-compose.yml
Jonathan Flatt 7e545475d0 security: Implement comprehensive credential protection system 
Replace environment variable credentials with secure file-based mounting
to prevent runtime credential exposure that was causing security leaks.

Key security improvements:
- Docker secrets integration for credential mounting
- Secure credential loader utility (secureCredentials.js)
- Enhanced logging redaction for all credential types
- Pre-commit security scanning with multiple tools
- Automated security audit workflow and scripts
- File-based credentials with proper 600 permissions

Services updated:
- githubController.js: Use secure credentials for webhook verification
- claudeService.js: Use secure credentials for GitHub/Anthropic APIs
- githubService.js: Use secure credentials for GitHub API calls
- logger.js: Enhanced redaction patterns for all credential types

New security infrastructure:
- ./scripts/setup/setup-secure-credentials.sh: Setup script for secure credentials
- ./scripts/security/credential-audit.sh: Comprehensive security audit
- .github/workflows/security-audit.yml: Automated security scanning
- docker-compose.yml: Updated to use Docker secrets by default
- k8s/secrets.yaml: Kubernetes secrets configuration
- systemd/claude-webhook.service: Systemd service configuration

This eliminates credential exposure in:
- Environment variables and process lists
- Container logs and debug output
- Git commits and PR comments
- Runtime error messages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-21 23:03:07 -05:00

49 lines
1.4 KiB
YAML
Raw Blame History

services:
webhook:
build: .
ports:
- "8082:3002"
volumes:
- .:/app
- /app/node_modules
- /var/run/docker.sock:/var/run/docker.sock
- ${HOME}/.aws:/root/.aws:ro
secrets:
- github_token
- anthropic_api_key
- webhook_secret
environment:
- NODE_ENV=production
- PORT=3002
- AUTHORIZED_USERS=${AUTHORIZED_USERS:-Cheffromspace}
- BOT_USERNAME=${BOT_USERNAME:-@MCPClaude}
- DEFAULT_GITHUB_OWNER=${DEFAULT_GITHUB_OWNER:-Cheffromspace}
- DEFAULT_GITHUB_USER=${DEFAULT_GITHUB_USER:-Cheffromspace}
- DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
- CLAUDE_USE_CONTAINERS=1
- CLAUDE_CONTAINER_IMAGE=claudecode:latest
# Point to secret files instead of env vars
- GITHUB_TOKEN_FILE=/run/secrets/github_token
- ANTHROPIC_API_KEY_FILE=/run/secrets/anthropic_api_key
- GITHUB_WEBHOOK_SECRET_FILE=/run/secrets/webhook_secret
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3002/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
networks:
- n8n_default
secrets:
github_token:
file: ./secrets/github_token.txt
anthropic_api_key:
file: ./secrets/anthropic_api_key.txt
webhook_secret:
file: ./secrets/webhook_secret.txt
networks:
n8n_default:
external: true
Reference in New Issue View Git Blame Copy Permalink