Skip to content

industrial-edge-insights-multimodal: DBS vuln fix#1149

Merged
sathyendranv merged 1 commit intorelease-2025.2.0from
bugfix/pooja/dbs_fix
Nov 21, 2025
Merged

industrial-edge-insights-multimodal: DBS vuln fix#1149
sathyendranv merged 1 commit intorelease-2025.2.0from
bugfix/pooja/dbs_fix

Conversation

@pooja-intel
Copy link
Copy Markdown
Contributor

@pooja-intel pooja-intel commented Nov 20, 2025
edited
Loading

Description

Changes:
1.docker-compose.yml-Set read only to true and added security opt.
2.industrial-edge-insights-time-series/docker-compose.yml - Added read
only vol mount

Fixes # (issue)

Any Newly Introduced Dependencies

No

How Has This Been Tested?

Yes

Checklist:

  • I agree to use the APACHE-2.0 license for my code changes.
  • I have not introduced any 3rd party components incompatible with APACHE-2.0.
  • I have not included any company confidential information, trade secret, password or security token.
  • I have performed a self-review of my code.

@pooja-intel
industrial-edge-insights-multimodal: DBS vuln fix
0140938 
Changes:
 1.docker-compose.yml-Set read only to true and added security opt.
 2.industrial-edge-insights-time-series/docker-compose.yml - Added read
   only vol mount

Signed-off-by: Pooja Kumbharkar <pooja.kumbharkar@intel.com>
@pooja-intel pooja-intel added the 2025.2 Time Series Sample Apps All the time series sample apps and multimodal sample app related activities for 2025.2 release label Nov 20, 2025
@vkb1 vkb1 requested a review from Copilot November 20, 2025 17:22
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances container security by implementing read-only filesystem configurations and privilege restrictions across multiple Docker services to address DBS (Docker Bench Security) vulnerabilities.

  • Added read_only: true and security_opt: no-new-privileges to multiple services
  • Configured volume mounts as read-only where appropriate
  • Applied security hardening to nginx_proxy, ia-fusion-analytics, dlstreamer-pipeline-server, mediamtx, and coturn services

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
manufacturing-ai-suite/industrial-edge-insights-time-series/docker-compose.yml Made volume mounts read-only for analytics service configuration files and device access
manufacturing-ai-suite/industrial-edge-insights-multimodal/docker-compose.yml Added read-only filesystem and security options to five container services (nginx_proxy, ia-fusion-analytics, dlstreamer-pipeline-server, mediamtx, coturn)
Comments suppressed due to low confidence (1)

manufacturing-ai-suite/industrial-edge-insights-multimodal/docker-compose.yml:1

  • Mounting /dev/dri as read-only may prevent GPU operations that require write access to device files. Hardware device mounts typically need write permissions for proper driver communication and resource management.
#

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sathyendranv sathyendranv merged commit 4f19e57 into release-2025.2.0 Nov 21, 2025
38 checks passed
@sathyendranv sathyendranv deleted the bugfix/pooja/dbs_fix branch November 21, 2025 03:32
sathyendranv pushed a commit that referenced this pull request Nov 24, 2025
@pooja-intel @sathyendranv
industrial-edge-insights-multimodal: DBS vuln fix (#1149)
4baba67 
This PR enhances container security by implementing read-only filesystem configurations and privilege restrictions across multiple Docker services to address DBS (Docker Bench Security) vulnerabilities.

- Added read_only: true and security_opt: no-new-privileges to multiple services
- Configured volume mounts as read-only where appropriate
- Applied security hardening to nginx_proxy, ia-fusion-analytics, dlstreamer-pipeline-server, mediamtx, and coturn services

Signed-off-by: Pooja Kumbharkar <pooja.kumbharkar@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vkb1 vkb1 vkb1 approved these changes

@sathyendranv sathyendranv sathyendranv approved these changes

@xwu2intel xwu2intel Awaiting requested review from xwu2intel xwu2intel is a code owner

@SudarshanaPanda SudarshanaPanda Awaiting requested review from SudarshanaPanda SudarshanaPanda is a code owner

@rashmihe rashmihe Awaiting requested review from rashmihe rashmihe is a code owner

@sugnanprabhu sugnanprabhu Awaiting requested review from sugnanprabhu sugnanprabhu is a code owner

Assignees

No one assigned

Labels

2025.2 Time Series Sample Apps All the time series sample apps and multimodal sample app related activities for 2025.2 release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pooja-intel @vkb1 @sathyendranv