bur-cli
BUR-10Discover databases from Docker labels
Description
discovery.py: find the opt-in databases and resolve their settings from bur.* labels on the running container, so there's no dependency on a repo checkout.
discover() -> [DbTarget]viadocker ps --filter label=bur.enable=trueanddocker inspect. Resolveapp(default: container name),database(default: app),user(default: postgres),retention.keep(fallback to the global), andschedule(default: daily).- Validate label values, since they are attacker-influencable input rather than trusted config.
app,database, andusermust match^[a-z0-9][a-z0-9_-]*$(no path traversal into filenames);bur.pathmust realpath inside a configured allowlist. Reject anything else with a typed error. audit() -> [unlabelled]: running containers whose image matchespostgres_image_matchbut lackbur.enable.
Acceptance
- labels parse into typed targets with defaults applied.
- hostile values are rejected:
bur.app=../../etcand abur.pathoutside the allowlist both fail loudly. -
auditfinds unlabelledpostgrescontainers; tested against mockeddocker inspectJSON, with no live Docker.
Sub-tickets
0No sub-tickets yet.
Links
No links.
Comments
0No comments yet.