-
Notifications
You must be signed in to change notification settings - Fork 0
Security Posture
Cross-stack security and operational audit. Since v0.11.0.
strut posture scans every stack for placeholder secrets, exposed ports, missing resource limits, env files tracked in git, and missing required_vars. Designed as a CI gate — --fail-on warn lets you block on a warning threshold.
strut posture # Full audit, all stacks
strut posture --stack my-stack # One stack
strut posture --category secrets --fail-on warn # Narrow + strict gate
strut posture --json # Structured outputChecks are grouped into categories so you can scope an audit:
| Category | Check | Level | Fix hint |
|---|---|---|---|
secrets |
Placeholder values in env files (changeme, password, todo, …) |
fail |
Set a real value |
secrets |
required_vars missing or empty in .env
|
fail |
Populate the var |
filesystem |
.env / *.env tracked by git |
fail |
Gitignore + git rm --cached
|
network |
docker-compose.yml ports published to 0.0.0.0
|
warn |
Prefix 127.0.0.1: or move behind reverse proxy |
runtime |
Services with no memory limits | warn |
Set mem_limit or deploy.resources.limits
|
Passes are silent in text output so the report stays actionable; every finding is included in --json output.
The text summary totals each level:
4 passed, 2 warnings, 1 failures
JSON output includes the same counters under summary:
{
"timestamp": "2026-04-21T12:00:00Z",
"findings": [
{
"level": "fail",
"category": "secrets",
"stack": "my-stack",
"message": ".env: DB_PASSWORD appears to be a placeholder ('changeme')",
"remediation": "Set a real value for DB_PASSWORD in .env"
}
],
"summary": { "pass": 4, "warn": 2, "fail": 1 }
}Exit codes:
| Flag | Behaviour |
|---|---|
| (default) | Exit 1 on any fail finding |
--fail-on warn |
Exit 1 on any warn or fail finding |
--fail-on fail |
Same as default |
# PR gate — block on any warning
strut posture --fail-on warn --json > posture.jsonPosture check
✗ [secrets] my-stack: .env: DB_PASSWORD appears to be a placeholder ('changeme')
→ Set a real value for DB_PASSWORD in .env
⚠ [network] my-stack: 2 port mapping(s) publish to 0.0.0.0 (first: - "3000:3000")
→ Prefix with 127.0.0.1: to restrict to localhost or move behind the reverse proxy
⚠ [runtime] my-stack: 3 service(s) with no memory limits
→ Set mem_limit or deploy.resources.limits in docker-compose.yml
4 passed, 2 warnings, 1 failures
There's a separate strut audit command for VPS discovery used by the migration wizard (see VPS Audit and Migration). Posture is a local-first check — it never touches the VPS — so it runs fast and fits into CI.
-
Stack Validation —
strut validateruns per-stack checks including secret pattern scanning - Monitoring — runtime alerting complements static posture checks
- CLI Reference — full flag list
strut · v0.1.0 · Report an Issue
Getting Started
Core Concepts
Operations
- Deployment
- Remote Host Setup
- Blue-Green Deploy
- Deploy Rollback
- Database Backups
- Stack Groups
- Lifecycle Hooks
- Notifications
- Key Rotation
- Drift Detection
- Domain and SSL
- Monitoring
- Volume Management
Advanced
- Security Posture
- VPS Audit and Migration
- Stack Validation
- Data Anonymization
- Debugging
- Local Development
Extending
Contributing