## Security Audit Checklist - [ ] Audit all secrets in and ensure no hardcoded secrets in repo - [ ] Audit docker-compose.yml for security hardening: - [ ] Remove hardcoded secrets (e.g., ) - [ ] Add to all containers - [ ] Add where applicable - [ ] Add and minimal where needed - [ ] Add non-root user for containers - [ ] Add with explicit networks - [ ] Add and resource limits - [ ] Remove hardcoded from searxng/settings.yml - [ ] Audit for placeholder secrets (should be clear placeholders, not real values) - [ ] Audit file permissions (should be 600) - [ ] Add to (verify) - [ ] Audit docker-compose.yml for exposed ports (bind to 127.0.0.1 by default) - [ ] Audit searxng/settings.yml for hardcoded secret_key - [ ] Add secret scanning (gitleaks/trufflehog) to CI - [ ] Add container vulnerability scanning (trivy/grype) to CI - [ ] Add SAST scanning (semgrep/codeql) to CI Reference: OWASP Docker Security Cheat Sheet, CIS Docker Benchmark
Security Audit Checklist
Reference: OWASP Docker Security Cheat Sheet, CIS Docker Benchmark