From 83c20c633ce6154af1710656784f077167b87db7 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 13 Jul 2026 03:25:54 +0000 Subject: [PATCH] Triage websec run self-scan findings Fixes the `docker-no-healthcheck` finding by adding `HEALTHCHECK NONE` to Dockerfile, as the CLI image does not require a running daemon health check. Suppresses the `weak-csp` finding from `transport_security` via `.websec-ignore` because this repo is a CLI tool, not a web application serving HTML. --- .websec-ignore | 4 ++++ Dockerfile | 1 + 2 files changed, 5 insertions(+) diff --git a/.websec-ignore b/.websec-ignore index 74a235a..414cde9 100644 --- a/.websec-ignore +++ b/.websec-ignore @@ -62,3 +62,7 @@ src/websec_validator/briefing.py # The AppSync GraphQL "surface" is detected purely from our own `@aws_*` example strings — no real # GraphQL server lives in this repo, so the synthetic graphql finding is a self-reference. category:graphql + +# The transport security baseline audit flags missing CSP/HSTS headers. +# This repo is a CLI tool, not a browser-facing web application. +category:transport diff --git a/Dockerfile b/Dockerfile index bc826c2..ff26c4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,5 +51,6 @@ RUN pip install --no-cache-dir . RUN useradd --create-home --uid 1001 websec WORKDIR /scan USER websec +HEALTHCHECK NONE ENTRYPOINT ["websec"] CMD ["--help"]