Add security configurations and authentication environment variables …

[SashkoMarchuk]

…to Docker Compose files

• Add N8N_BLOCK_ENV_ACCESS_IN_NODE=true to docker-compose.yml for enhanced security
• Add N8N_ENV_ACCESS_ALLOWED with ASSEMBLY_USER and ASSEMBLY_PASS to docker-compose.prod.yml
• Add ASSEMBLY_USER and ASSEMBLY_PASS environment variables to both compose files

Summary by CodeRabbit

• Chores
  • Enforced required credentials at startup for the automation service in production deployments.
  • Provided sensible default credentials for local setups while maintaining strict checks in production.
  • Restricted in-app access to environment variables to reduce exposure of sensitive data.
  • No impact to other services or runtime behavior beyond stricter credential validation.

[coderabbitai]

Walkthrough

Updates the n8n service environment in docker-compose.yml and docker-compose.prod.yml. Adds SEMBLY_USER and SEMBLY_PASS variables (defaults in dev; required in prod) and configures environment access policies (block in dev; allowlist in prod). No other services or settings are changed.

Changes

Cohort / File(s)	Summary
Compose (dev) docker-compose.yml	Added environment vars for n8n: N8N_BLOCK_ENV_ACCESS_IN_NODE=true (comment explains intent), SEMBLY_USER=${SEMBLY_USER:-sembly_user}, SEMBLY_PASS=${SEMBLY_PASS:-sembly_pass}. Inserted after DB_POSTGRESDB_PASSWORD.
Compose (prod) docker-compose.prod.yml	Added env access allowlist: N8N_ENV_ACCESS_ALLOWED=SEMBLY_USER,SEMBLY_PASS. Enforced required vars with ${SEMBLY_USER:?error} and ${SEMBLY_PASS:?error} after N8N_BINARY_DATA_STORAGE_PATH.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update docker-compose.prod.yml to enhance n8n service configuration #82 — Also modifies the n8n service in docker-compose.prod.yml, including nearby environment entries (e.g., N8N_BINARY_DATA_STORAGE_PATH), making it closely related to these env configuration changes.

Suggested reviewers

• DenisChistyakov
• killev
• anatolyshipitz

Poem

A rabbit toggles envs with care,
Dev blocks secrets, prod declares.
SEMBLY keys hop into place,
Compose files keep a tidy space.
With whiskers twitching, configs set—
Containers launch without a fret. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add security configurations and authentication environment variables …" succinctly and accurately summarizes the primary change in this PR (adding n8n security settings and authentication environment variables to the compose files), is concise and relevant for a reviewer scanning history, and does not introduce unrelated topics.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/security-env-vars-config

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Vulnerabilities of temporal-test:latest

📦 Image Reference temporal-test:latest

digest	sha256:1d8bb517b3f3c90572cecd0dfbceaee7c023d035b93a91fb4d5e308aa49675d7
vulnerabilities
platform	linux/amd64
size	218 MB
packages	358

📦 Base Image alpine:3

also known as	3.21 3.21.3 latest
digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilities

stdlib 1.23.6 (golang) pkg:golang/stdlib@1.23.6 Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

stdlib 1.23.2 (golang) pkg:golang/stdlib@1.23.2 Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

github.com/golang-jwt/jwt 3.2.2+incompatible (golang) pkg:golang/github.com/golang-jwt/jwt@3.2.2%2Bincompatible Asymmetric Resource Consumption (Amplification) Affected range >=3.2.0 <=3.2.2 Fixed version Not Fixed CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.043% EPSS Percentile 12th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

golang.org/x/crypto 0.32.0 (golang) pkg:golang/golang.org/x/crypto@0.32.0 Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.188% EPSS Percentile 41st percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

c-ares 1.34.3-r0 (apk) pkg:apk/alpine/c-ares@1.34.3-r0?os_name=alpine&os_version=3.21 Affected range <1.34.5-r0 Fixed version 1.34.5-r0 EPSS Score 0.123% EPSS Percentile 32nd percentile Description

golang.org/x/oauth2 0.26.0 (golang) pkg:golang/golang.org/x/oauth2@0.26.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.076% EPSS Percentile 23rd percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

golang.org/x/oauth2 0.7.0 (golang) pkg:golang/golang.org/x/oauth2@0.7.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.076% EPSS Percentile 23rd percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.36.4 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation@0.36.4#google.golang.org/grpc/otelgrpc Allocation of Resources Without Limits or Throttling Affected range <0.46.0 Fixed version 0.46.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.744% EPSS Percentile 85th percentile Description Summary The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { out of the box adds labels net.peer.sock.addr net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details An attacker can easily flood the peer address and port for requests. PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. Impact In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc. Others It is similar to already reported vulnerabilities. GHSA-rcjv-mgp8-qvmr (open-telemetry/opentelemetry-go-contrib) GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. Solution provided by upgrading In PR #4322, to be released with v0.46.0, the attributes were removed. References #4322

github.com/golang-jwt/jwt/v4 4.5.1 (golang) pkg:golang/github.com/golang-jwt/jwt@4.5.1#v4 Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.043% EPSS Percentile 12th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

curl 8.12.1-r0 (apk) pkg:apk/alpine/curl@8.12.1-r0?os_name=alpine&os_version=3.21 Affected range <=8.12.1-r0 Fixed version Not Fixed EPSS Score 0.050% EPSS Percentile 15th percentile Description

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docker-compose.yml (1)

31-34: Optional: Consider mirroring the explicit block setting in prod for clarity.

Prod relies on the default for N8N_BLOCK_ENV_ACCESS_IN_NODE. Setting it explicitly in prod avoids ambiguity and future regressions.

Proposed addition in docker-compose.prod.yml n8n env:

+      - N8N_BLOCK_ENV_ACCESS_IN_NODE=true

docker-compose.prod.yml (1)

25-28: Security: Consider Docker secrets for credentials.

Environment variables are fine, but for stronger posture in prod, prefer Docker secrets or external secret managers; then reference via files.

If you stay with env vars, ensure these aren’t logged or exported in diagnostics.

📜 Review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 990dc90 and a171a10.

📒 Files selected for processing (2)

• docker-compose.prod.yml (1 hunks)
• docker-compose.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

docker-compose.yml

📄 CodeRabbit inference engine (.cursor/rules/docker-configuration.mdc)

docker-compose.yml: All service configurations, including service dependencies, volume mounts, network configuration, environment variables, and port mappings, must be defined in docker-compose.yml
Services must communicate over an internal Docker network with only the specified ports exposed: n8n (5678), Temporal (7233), Temporal UI (8080), PostgreSQL (5432), and OpenSearch (9200)

The repository must include a docker-compose.yml file as the main service orchestration configuration.

Use docker compose up -d to start all services

Files:

• docker-compose.yml

🧠 Learnings (1)

📚 Learning: 2025-07-28T16:44:24.081Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/docker-configuration.mdc:0-0
Timestamp: 2025-07-28T16:44:24.081Z
Learning: Applies to docker-compose.yml : Services must communicate over an internal Docker network with only the specified ports exposed: n8n (5678), Temporal (7233), Temporal UI (8080), PostgreSQL (5432), and OpenSearch (9200)

Applied to files:

• docker-compose.prod.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (1)

docker-compose.yml (1)

31-34: Incorrect — repo already uses SEMBLY_USER/SEMBLY_PASS; do not apply ASSEMBLY_ rename*

Search found SEMBLY_USER/SEMBLY_PASS in docker-compose.yml (lines 33–34) and docker-compose.prod.yml (lines 26–28); N8N_ENV_ACCESS_ALLOWED also references SEMBLY_. Applying the proposed ASSEMBLY_ diff would introduce mismatches — either rename every occurrence (including the allowlist) or keep SEMBLY_*.

Likely an incorrect or invalid review comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Resolving my previous comment - SEMBLY_* naming is correct as clarified by the author.