|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (31 fixed, 11 open).
|
|
|
|
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (32 fixed, 10 open).
|
|
|
|
|
|
|
|
---
|
|
---
|
|
|
|
|
|
|
@@ -2062,6 +2062,16 @@
|
|
|
runs `cleanup-audit` (audit retention silently broken) or
|
|
runs `cleanup-audit` (audit retention silently broken) or
|
|
|
`cleanup-expired-manual-blocks`. Failure-open monitoring gap.
|
|
`cleanup-expired-manual-blocks`. Failure-open monitoring gap.
|
|
|
- **Severity: 1**
|
|
- **Severity: 1**
|
|
|
|
|
+- **Status:** Fixed by the F22 fix (the scheduler-image rebuild that
|
|
|
|
|
+ replaced the runtime `apk add` with a pinned-digest Dockerfile).
|
|
|
|
|
+ The bind-mount of `./docker/scheduler.crontab` is gone;
|
|
|
|
|
+ `scheduler/scheduler.crontab` is `COPY`ed into the image at build
|
|
|
|
|
+ time so the schedule is part of the immutable artifact (`COPY
|
|
|
|
|
+ scheduler.crontab /etc/crontabs/root` in `scheduler/Dockerfile`).
|
|
|
|
|
+ Operators wanting a different cadence can still bind-mount their
|
|
|
|
|
+ own crontab over `/etc/crontabs/root` in compose, but the default
|
|
|
|
|
+ no longer depends on a host file at all. Closing F64 for
|
|
|
|
|
+ bookkeeping; no new code change required.
|
|
|
|
|
|
|
|
### F65 — `SecretScrubbingProcessor` does not match raw JWT shape
|
|
### F65 — `SecretScrubbingProcessor` does not match raw JWT shape
|
|
|
- **Files:** `api/src/Infrastructure/Logging/SecretScrubbingProcessor.php:42-57`,
|
|
- **Files:** `api/src/Infrastructure/Logging/SecretScrubbingProcessor.php:42-57`,
|
chiappa