[Security] Fix HIGH vulnerability: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service (#1005)

Co-authored-by: orbisai0security <orbisai0security@users.noreply.github.com> Co-authored-by: houseme <housemecn@gmail.com>
2026-01-16 17:20:33 +00:00 · 2025-12-08 19:35:10 +05:30
parent 15c75b9d36
commit 7c98c62d60
1 changed files with 7 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -196,6 +196,8 @@ services:

  # NGINX reverse proxy (optional)
  nginx:
+    security_opt:
+      - "no-new-privileges:true"
    image: nginx:alpine
    container_name: nginx-proxy
    ports:
@@ -204,9 +206,14 @@ services:
    volumes:
      - ./.docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./.docker/nginx/ssl:/etc/nginx/ssl:ro
+    tmpfs:
+      - /var/run
+      - /var/cache/nginx
+      - /var/log/nginx
    networks:
      - rustfs-network
    restart: unless-stopped
+    read_only: true
    profiles:
      - proxy
    depends_on: