marcel

0 Followers · 0 Following

• Joined on 2026-03-17

Repositories

3

Projects Packages Public Activity Starred Repositories

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:49 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

📋 Elicit — Requirements Engineer

Verdict: ⚠️ Approved with concerns

Issue #459 (non-root OCR container) is fully addressed. The implementation covers the stated requirements. One…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:39 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🛠️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ⚠️ Approved with concerns

The hardening work is solid and the config is production-grade. One ops documentation gap needs fixing…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:28 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

TDD evidence is present — two tests for the HTRMOPO_DIR change landed before (or alongside) the…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:18 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🏗️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

No layer violations, no new services, no domain boundary issues — this is a self-contained hardening…

marcel created pull request marcel/familienarchiv#611 2026-05-17 16:58:02 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

marcel created branch feat/issue-459-ocr-non-root in marcel/familienarchiv 2026-05-17 16:57:48 +02:00

marcel pushed to feat/issue-459-ocr-non-root at marcel/familienarchiv 2026-05-17 16:57:48 +02:00

581ba01d8d security(ocr): log warning on startup when running as root

9db42d6cc1 fix(ocr): resolve HTRMOPO_DIR from env var, not ~ expansion

ab24786d2a security(ocr): harden compose — fix cache volume path, add read_only + cap_drop

1aca4c4a41 security(ocr): add non-root user and set HOME/HF_HOME in Dockerfile

Compare 4 commits »

marcel commented on issue marcel/familienarchiv#459 2026-05-17 16:52:01 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

✅ Implementation complete — branch feat/issue-459-ocr-non-root

What was done

4 commits, all tests green:

marcel deleted branch feat/issue-528-xxe-hardening from marcel/familienarchiv 2026-05-17 16:42:13 +02:00

marcel pushed to main at marcel/familienarchiv 2026-05-17 16:42:12 +02:00

669eaa7c65 fix(ci): pin semgrep version, add pip cache, harden rule severity

f15ea031d1 ci(security): add Semgrep XXE rule and CI scan job

25a39fca9c security(import): harden DocumentBuilderFactory against XXE in MassImportService

Compare 3 commits »

marcel closed issue marcel/familienarchiv#528 2026-05-17 16:42:11 +02:00

security(import): harden DocumentBuilderFactory against XXE in MassImportService

marcel merged pull request marcel/familienarchiv#610 2026-05-17 16:42:11 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:48 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🎨 Leonie Voss (@leonievoss) — UI/UX Design Lead

Verdict: ✅ Approved

This PR is entirely backend and CI — no frontend components, no routes, no UI changes, no Svelte files, no Tailwind…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:42 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

📋 Elicit — Requirements Engineer & Business Analyst

Verdict: ✅ Approved

This PR directly closes issue #528. The implemented scope matches the stated requirements precisely, with no…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:27 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🧪 Sara Holt (@saraholt) — QA Engineer & Test Strategist

Verdict: ✅ Approved

Both tests are well-structured, correctly placed in the test pyramid, and the regression test is permanently…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:07 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🚀 Tobias Wendt (@tobiwendt) — DevOps & Platform Engineer

Verdict: ✅ Approved

The CI job is clean, minimal, and fits the existing pipeline structure. A few observations, nothing…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:55 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🏛️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

The fix is architecturally sound. My concern is documentation: a new class has been added to the…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:38 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

Clean, focused, and test-first. The change does one thing and does it well. My usual checklist found very little to…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:22 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

This is a textbook XXE remediation. The implementation follows the OWASP XML External Entity Prevention Cheat…

marcel pushed to feat/issue-528-xxe-hardening at marcel/familienarchiv 2026-05-17 16:18:27 +02:00

669eaa7c65 fix(ci): pin semgrep version, add pip cache, harden rule severity