Auto-PR: Merge branch 'feature/wordpress-docker-copier-template' into feature/wp-hardening-shd

[weown-bot]

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @mshahid538
Last pushed by: @ncimino
Branch: feature/wp-hardening-shd → main

Contributors on this branch:

• @mshahid538 (7 commits)
• @ncimino (5 commits)
• @romandidomizio (1 commit)

---

📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

• CODEOWNERS correct for affected paths (.github/CODEOWNERS)
• ADR required/updated if an architectural decision is introduced
• Policy impact considered and documented
• All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

• New assets inventoried (Helm values, container images, dependencies)
• SBOM regenerated if dependencies changed
• Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

• Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
• Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
• NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
• TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
• Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

• Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
• Alert rules updated if thresholds change
• Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

• Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
• Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

• Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
• Rollback procedure tested or documented
• DR impact assessed for new critical components

📚 Documentation & Versioning

• Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
• #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
• READMEs / ADRs / inline comments updated

---

📝 Recent Commits (full bodies for Copilot context)

cc891af fix(values): resolve dead config, env var duplicates, and size mismatch

Author: Nik
Date: Mon May 18 16:04:47 2026 -0600

• Move APACHE_HTTP_PORT from dead wordpress.extraEnvVars to top-level
  extraEnvVars (deployment.yaml only reads the top-level key)
• Remove duplicate WORDPRESS_ENABLE_REDIS (already injected by template
  when redis.enabled=true) and WORDPRESS_CONFIG_EXTRA (already generated
  from wordpressExtraWpConfigContent — duplicate silently overwrote the
  more complete template version)
• Align proxy-body-size 64m -> 128m to match PHP upload_max_filesize
• Fix comment: global.domain -> wordpress.domain
• Remove dead hosts field from per-site tls overrides (template builds
  hosts from wordpress.domain, not tls list)
• Document enableMultisite/redirectFromWWW as not yet wired

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

---

63cf42a feat(ingress): expand edge block list and add security response headers

Author: Nik
Date: Fri May 15 22:51:47 2026 -0600

Addresses PR #19 review items 11 and 12:

• Block xmlrpc.php, wp-config backups, readme.html, license.txt,
  debug.log, and .svn at the nginx edge (defense-in-depth)
• Add X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy,
  Permissions-Policy, and Content-Security-Policy via configuration-snippet
• CSP is configurable per site via ingress.securityHeaders.contentSecurityPolicy
• Document wp-login.php rate limiting as controller-level config

Chart version 3.3.0 → 3.3.1.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

8249072 fix(wordpress/helm): address PR #15 review items 10-12

Author: Nik
Date: Wed May 13 23:49:36 2026 -0600

• ingress.yaml: parameterize spec.tls[0].secretName from
  .Values.ingress.tls[0].secretName so per-site overrides
  (burnedout-tls, ptoken-tls) actually take effect. Falls
  back to "wordpress-tls" when .Values.ingress.tls is a
  map or unset (preserves default and TLS hardening map).
• php-config-configmap.yaml: gate "auto_prepend_file =
  wordfence-waf.php" behind .Values.wordpress.wordfence.enabled
  (default false) to avoid PHP warnings when the plugin is
  not installed.
• ingress.yaml: gate the file-blocking server-snippet annotation
  behind .Values.ingress.serverSnippet.enabled (default true)
  so the chart can deploy on hardened controllers that set
  allow-snippet-annotations: false.
• values.yaml: add wordpress.wordfence.enabled and
  ingress.serverSnippet.enabled.
• Chart.yaml: bump 3.2.7 -> 3.3.0 (SemVer + WeOwnVer valid).
• wordpress/CHANGELOG.md: document 3.3.0.

Verified: helm template renders correctly with default,
values-burnedout, and values-ptoken; helm lint clean.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

0318268 docs: apply markdownlint autofixes for PR #15 CI

Author: Nik
Date: Wed May 13 23:35:57 2026 -0600

• ADR-004: add blank line before bulleted list (MD032)
• workflows/README.md: switch emphasis to emphasis for style consistency (MD049)

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

d514af5 Merge remote-tracking branch 'origin/main' into feature/wp-hardening-shd

Author: romandidomizio
Date: Wed May 13 13:07:40 2026 -0600

---

488ebfb fix: resolve yamllint line endings

Author: m.shahid
Date: Wed May 6 23:03:36 2026 +0500

---

52bc0a2 fix: resolve yamllint line endings and comment indentation

Author: m.shahid
Date: Wed May 6 22:52:40 2026 +0500

---

c073eb0 udated version bump

Author: m.shahid
Date: Wed May 6 22:42:50 2026 +0500

---

994c8be fix: resolve trivy security scan and linting issues

Author: m.shahid
Date: Wed May 6 22:31:06 2026 +0500

---

30b5355 Merge branch 'feature/wordpress-docker-copier-template' into feature/wp-hardening-shd

Author: Nik
Date: Tue May 5 16:28:43 2026 -0600

---

b98ac28 chore: bump helm chart version to 3.2.7

Author: m.shahid
Date: Thu Apr 23 14:46:43 2026 +0500

---

8d44f58 chore(helm): implement multi-site values strategy for burnedout and ptoken

Author: m.shahid
Date: Thu Apr 23 14:43:00 2026 +0500

---

1ece74f feat: codify PHP limits and block .user.ini per Task D152 & #264

Author: m.shahid
Date: Thu Apr 23 14:38:47 2026 +0500

---

---

🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: 1 human approval enforced by branch protection. requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[lpendeavors]

Closing governance spam PR. Bug fix in progress.

[ncimino]

WordPress Helm chart review

Overall: the intent is right (codified PHP limits + edge blocks for sensitive files + multi-site values strategy), but a few items are silently broken at render-time and should be addressed before merge. I verified everything below with helm template and helm lint against the actual chart.

Block on:

1. CHANGELOG version regression — 3.2.7 (2026-05-06) is inserted ABOVE 3.3.8 (2025-11-07), which is older. Either the chart version should be bumped past 3.3.8 or the entry is in the wrong place.
2. Per-site ingress.tls: block is a no-op — helm lint -f values-burnedout.yaml warns: cannot overwrite table with non table for wordpress.ingress.tls. The chart defines ingress.tls as a map (protocols/ciphers); per-site files override it with a K8s-style list. Helm rejects the merge — the rendered secretName stays hardcoded to wordpress-tls. Both per-site files are affected.
3. server-snippet is disabled by default in ingress-nginx ≥1.9 — the primary hardening claim (Task #264 edge blocks) may be silently ignored on any modern cluster. Needs controller.allowSnippetAnnotations: true AND controller.annotations-risk-level: Critical, or a different mechanism.

Should address:

• auto_prepend_file = '/var/www/html/wordfence-waf.php' on fresh deploys — file doesn't exist until Wordfence is installed; PHP warns per request.
• APACHE_HTTP_PORT changed from 8080 to 80 — running as root to bind privileged port, opposite direction from container hardening best practice.
• The # {{ ... }} yamllint workaround pattern — works but produces noisy rendered YAML (verified via helm template).
• Edge block regex is missing common sensitive paths (xmlrpc, wp-config backups, readme/license, debug.log, .svn).

Pre-existing (worth flagging): policy/v1beta1 PodDisruptionBudget is unavailable in K8s ≥1.25 (helm lint warning).

Inline comments below have specifics.

---

Verified rendering with helm template / helm lint (helm v4.1.4) on the head commit.

[ncimino]

Retracted (2026-05-13). My claim that this is a version regression was wrong. I assumed main's Chart.yaml was at 3.3.8 based on the latest CHANGELOG header, but main's actual Chart.yaml is version: 3.2.6 (last bump: 4294d03 fix(wordpress): CRITICAL - prevent password regeneration on upgrades (v3.2.6)). The PR's 3.2.6 → 3.2.7 is a correct forward bump.

What threw me off: this CHANGELOG already has [3.3.8], [3.3.7], … entries dating to Oct/Nov 2025, even though Chart.yaml was never bumped past 3.2.6. That's a pre-existing repo drift, not this PR's responsibility. CI's version-consistency check passes anyway because it only verifies the Chart version string appears somewhere in CHANGELOG.md, not that it matches the latest entry. I'll open a separate PR to tighten that check.

Apologies for the noise on this thread.

[ncimino]

Retracted (2026-05-13). Same root mistake as my CHANGELOG comment — main's Chart.yaml is at 3.2.6, so the 3.2.6 → 3.2.7 bump here is correct. There's pre-existing drift between Chart.yaml and the CHANGELOG on main (top entry 3.3.8 vs. chart 3.2.6), but that's outside this PR's scope. A follow-up PR will tighten the CI check that should have caught the drift.

[ncimino]

Critical: this tls: block is silently rejected by Helm.

helm lint -f wordpress/helm/values-burnedout.yaml emits:

warning: cannot overwrite table with non table for wordpress.ingress.tls

The chart's values.yaml defines ingress.tls as a map (with protocols and ciphers keys, used for nginx annotations). This file overrides it with a list (K8s-style secretName/hosts). Helm refuses to merge a list onto a map and keeps the original map — so secretName: burnedout-tls and the hosts: entry below it have no effect on the rendered output.

I confirmed by rendering: the resulting Ingress still uses secretName: wordpress-tls (hardcoded in templates/ingress.yaml:55), and the hosts come from .Values.wordpress.domain + includeWWW.

Fix options:

• Easiest: delete this entire tls: block from both per-site files. It's dead code that just produces a helm warning. The cert secret will be named wordpress-tls in the site's namespace, which is fine for per-namespace installs.
• Cleaner: add a wordpress.tlsSecretName value (default wordpress-tls) and read it in templates/ingress.yaml:55, then set it per site.

[ncimino]

Same issue as values-burnedout.yaml:10 — the tls: list silently fails to override the chart's ingress.tls map. secretName: ptoken-tls is ignored; the rendered Ingress uses the hardcoded wordpress-tls. Delete this block or wire up a wordpress.tlsSecretName value.

[ncimino]

Critical: this annotation is disabled by default in modern ingress-nginx.

After CVE-2022-4886 / CVE-2023-5043, ingress-nginx ≥1.9 ships with --allow-snippet-annotations=false as the default. Without explicit cluster-level opt-in, this entire server-snippet block is silently ignored, and the file-blocking that this PR centers on (Task #264) doesn't actually happen at the edge.

To make this work, the cluster's ingress-nginx ConfigMap needs both:

controller:
  allowSnippetAnnotations: "true"
  config:
    annotations-risk-level: "Critical"   # or include "snippets" in the allowed risk levels

Better alternatives that don't require enabling raw nginx snippets:

• Block at the application layer (Apache <Files> directives baked into the image, or a small mu-plugin).
• Use nginx.ingress.kubernetes.io/whitelist-source-range + a separate locked-down Ingress for management paths.
• If you stick with snippets, document the cluster prerequisite in wordpress/CHANGELOG.md and ideally add a values-driven toggle so charts that hit a strict cluster don't render dead annotations.

[ncimino]

High: edge block list is sparse for a hardening PR.

Common sensitive paths that are also worth 403'ing:

• xmlrpc.php — defense-in-depth alongside the disableXmlRpc mu-plugin
• wp-config.php~, wp-config.php.bak, wp-config.php.old, wp-config.php.swp — editor backups
• readme.html, license.txt — WordPress version fingerprinting
• \.(svn|hg|bzr) — other VCS metadata
• debug.log, error_log — WordPress writes these into wp-content by default if WP_DEBUG_LOG flips on
• composer\.(json|lock), package(-lock)?\.json, \.env\.example — dependency / config leakage
• (phpinfo|info|test)\.php — common scanner targets

Also: the current regex /\.(git|env|user\.ini|htaccess) matches /foo/.git/HEAD etc. ✓ — but for the bare filenames like xmlrpc.php or readme.html you'll need a separate location block (or a combined regex with |^/(xmlrpc\.php|readme\.html|license\.txt)$).

[ncimino]

High: missing standard security response headers.

If this is a hardening pass, the obvious additions for an HTTPS-terminating ingress are:

nginx.ingress.kubernetes.io/configuration-snippet: |
  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload";
  more_set_headers "X-Content-Type-Options: nosniff";
  more_set_headers "X-Frame-Options: SAMEORIGIN";
  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
  more_set_headers "Permissions-Policy: geolocation=(), microphone=(), camera=()";

Same caveat as the server-snippet comment above — configuration-snippet is also gated by allow-snippet-annotations. If you go the non-snippet route, the only one of these you can set without snippets is HSTS via nginx.ingress.kubernetes.io/hsts: "true" + related controls.

[ncimino]

Updated (2026-05-13). I had the right diagnosis but suggested the wrong fix.

The repo already has .yamllint.yml with ignore: **/helm/templates/** (line 8–10), and .pre-commit-config.yaml excludes .*/templates/.*\.yaml$ (line 24). CI's YAML Lint step uses config_file: .yamllint.yml. yamllint does not lint these Helm templates anywhere in this repo's tooling.

That means the two fix yamllint commits in this PR (52bc0a2 fix: resolve yamllint line endings and comment indentation, 488ebfb fix: resolve yamllint line endings) are addressing a problem that doesn't exist in CI. The most likely scenario: the author ran raw yamllint locally without -c .yamllint.yml and "fixed" the false-positive warnings, damaging template syntax in the process.

Recommended actual fix: revert wordpress/helm/templates/ingress.yaml and wordpress/helm/templates/php-config-configmap.yaml to their pre-52bc0a2 state (and the yamllint-cosmetic changes to values.yaml). The templates already pass helm lint and helm template correctly — I verified locally. The other findings in this review (per-site tls: schema, server-snippet default-off, auto_prepend_file, APACHE_HTTP_PORT/root) stand and are independent of this point.

(My earlier suggestion of adding a yamllint config was wrong — it already exists.)

[ncimino]

High: auto_prepend_file points to a file that doesn't exist on fresh deploys.

/var/www/html/wordfence-waf.php is created by the Wordfence plugin's WAF installer. Until Wordfence is installed and its WAF mode is activated, this file is missing. PHP behavior in that case: emit a Warning: Failed opening '/var/www/html/wordfence-waf.php' for inclusion on every request, then proceed.

Net effect on a fresh deploy:

• Request handling still works.
• error_log fills with warnings (one per request).
• Anything tailing the container logs for security signal gets a lot of noise.
• If display_errors is ever on (e.g. someone enables WP_DEBUG_DISPLAY), the warning leaks to clients.

Options:

• Make this conditional on a values toggle, e.g. wordpress.security.wordfenceWafAutoPrepend (default false).
• Or include a stub wordfence-waf.php in the chart that's a <?php no-op until Wordfence overwrites it.
• Or use php_admin_value[auto_prepend_file] = ... in a separate config only mounted when Wordfence is enabled.

[ncimino]

High: bind to privileged port + root user is the opposite of hardening.

APACHE_HTTP_PORT was 8080 (non-privileged → can run as non-root); now 80 (privileged → needs root, which is set on line 148: runAsUser: 0).

For a PR titled wp-hardening-shd, this is a regression from container-security best practice. Apache can setcap CAP_NET_BIND_SERVICE to bind 80 without root, but the cleaner path is keep Apache on 8080 and let the K8s Service map 80 → 8080. The chart's service.port: 80 and service.targetPort: 80 would need to change to targetPort: 8080.

Was this intentional? If yes, the PR description should justify the root requirement (e.g. a plugin that needs root). If no, revert: value: "8080" and set service.targetPort: 8080 in values.yaml:264.

[ncimino]

Follow-up: opened #21 to tighten the version-consistency CI check (so future drift like the one my retracted comments touched on gets caught) and to align main's drifted Chart.yaml files. Once #21 merges, this PR will conflict on wordpress/helm/Chart.yaml and wordpress/CHANGELOG.md — the right resolution will be to pick a version above 3.3.8 (e.g. 3.3.9 or 3.4.0) and re-anchor the changelog entry.

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

[romandidomizio]

wordpress/helm/values.yaml — [Copilot] networkPolicy: is declared twice and the later block sets enabled: false, which will disable the NetworkPolicy resource. This negates the earlier zero-trust configuration. Remove the duplicate and ensure enabled: true is set in the single consolidated block.

[romandidomizio]

wordpress/helm/values.yaml — [Copilot] The chart-level automountServiceAccountToken: false value appears unused by the templates (the Deployment uses .Values.wordpress.security.automountServiceAccountToken and the ServiceAccount uses .Values.serviceAccount.automount). Consider removing this top-level key or wiring it into the templates.

[romandidomizio]

wordpress/helm/templates/ingress.yaml — [Copilot] The default TLS protocols include TLSv1.2 (ssl-protocols: "TLSv1.2 TLSv1.3"). Other Helm charts in this repo default to TLS 1.3 only. Change to "TLSv1.3" to match the repository hardening baseline.

[romandidomizio]

wordpress/helm/values.yaml — [Copilot] ingress.tls is defined twice under ingress: (first as a map with protocols/ciphers, then again as a list with secretName/hosts). The second tls: overwrites the first, so .Values.ingress.tls.protocols/.ciphers won't exist at template render time. Rename one of the keys or consolidate.

[romandidomizio]

wordpress/helm/Chart.yaml — [Copilot] Chart version is bumped to 3.2.7, but this PR doesn't include a corresponding entry in wordpress/CHANGELOG.md. Please add a changelog entry describing the changes included in this version.

[romandidomizio]

wordpress/helm/templates/php-config-configmap.yaml — [Copilot] auto_prepend_file is set to /var/www/html/wordfence-waf.php, but this file won't exist unless Wordfence WAF is installed/configured. This can generate warnings on every request (and may break PHP execution). Make this conditional via a values flag (e.g., wordpress.wordfence.enabled).

[romandidomizio]

wordpress/helm/templates/ingress.yaml — [Copilot] This template unconditionally adds nginx.ingress.kubernetes.io/server-snippet. Many security-hardened clusters disable snippet annotations (after CVE-2022-4886). Consider making this opt-in via values, or use an approach that doesn't rely on snippet annotations.

[romandidomizio]

wordpress/helm/values.yaml — [Copilot] wordpress: is declared twice in this values file. In YAML, the later wordpress: block overwrites the earlier one, which drops settings like enableMultisite, wordpressTablePrefix, and wordpressExtraWpConfigContent. Consolidate into a single wordpress: map.

[romandidomizio]

wordpress/helm/values-burnedout.yaml — [@ncimino] Critical: this tls: block is silently rejected by Helm. helm lint -f wordpress/helm/values-burnedout.yaml emits: warning: cannot overwrite table with non table for wordpress.ingress.tls. The secretName: burnedout-tls override is ignored; the rendered Ingress uses the hardcoded wordpress-tls. Fix the ingress template to iterate over .Values.ingress.tls (list) to resolve this.

[romandidomizio]

wordpress/helm/values-ptoken.yaml — [@ncimino] Same issue as values-burnedout.yaml — the tls: list silently fails to override the chart's ingress.tls map. secretName: ptoken-tls is ignored; the rendered Ingress uses the hardcoded wordpress-tls.

[romandidomizio]

wordpress/helm/templates/ingress.yaml — [@ncimino] Critical: server-snippet annotation is disabled by default in modern ingress-nginx. After CVE-2022-4886 / CVE-2023-5043, ingress-nginx ≥1.9 ships with --allow-snippet-annotations=false. The snippet will be silently ignored or the Ingress rejected outright.

[romandidomizio]

wordpress/helm/templates/ingress.yaml — [@ncimino] High: edge block list is sparse for a hardening PR. Common sensitive paths worth 403'ing: xmlrpc.php (defense-in-depth alongside disableXmlRpc mu-plugin), wp-config.php, and wp-login.php rate limiting.

[romandidomizio]

wordpress/helm/templates/ingress.yaml — [@ncimino] High: missing standard security response headers. For a hardening pass, add: X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Strict-Transport-Security: max-age=31536000; includeSubDomains, and a Content-Security-Policy header via nginx.ingress.kubernetes.io/configuration-snippet.

[romandidomizio]

wordpress/helm/templates/php-config-configmap.yaml — [@ncimino] High: auto_prepend_file points to a file that doesn't exist on fresh deploys. /var/www/html/wordfence-waf.php is created by the Wordfence plugin's WAF installer. Until Wordfence is installed and activated, PHP will emit a warning on every request (or error out if display_errors=On). Gate this behind a values flag.

[romandidomizio]

wordpress/helm/values.yaml — [@ncimino] High: bind to privileged port + root user is the opposite of hardening. APACHE_HTTP_PORT was 8080 (non-privileged → can run as non-root); it's now 80 (privileged → needs root, which is explicitly set). Consider keeping 8080 internally and having the Service map 80→8080, allowing non-root operation.

[romandidomizio]

PR 19 Review — WordPress Hardening (feature/wp-hardening-shd → main)

Main merged in. After the merge, 7 unique files remain in the diff vs. main — the WordPress-specific helm chart changes: wordpress/helm/values.yaml, wordpress/helm/templates/ingress.yaml, wordpress/helm/templates/php-config-configmap.yaml, wordpress/helm/values-ptoken.yaml, wordpress/helm/values-burnedout.yaml, wordpress/helm/Chart.yaml, wordpress/CHANGELOG.md.

Relationship to PR #15: PR #15 is feature/wp-hardening-shd → feature/wordpress-docker-copier-template (the intermediate staging PR). This PR (#19) is the canonical merge to main. All issues flagged below apply to both.

---

❌ Unresolved Copilot / Inline Review Comments

wordpress/helm/values.yaml

1. networkPolicy: defined twice — second block DISABLES NetworkPolicy (Copilot)
The first networkPolicy: block correctly defines zero-trust ingress/egress rules. A second networkPolicy: block later in the file sets enabled: false, silently overwriting the first and disabling NetworkPolicy entirely. Consolidate into a single block with enabled: true.

2. ingress.tls defined twice — protocols/ciphers silently dropped (Copilot)
ingress: contains two tls: keys: first defines protocols/ciphers, second is a list with secretName/hosts. YAML keeps only the second, so .Values.ingress.tls.protocols and .ciphers don't exist at render time. Rename one key (e.g., tlsConfig:) or merge into a single structure.

3. service: defined twice — earlier port definition ignored (Copilot)
Only the last service: takes effect. Merge into a single block.

4. backup: defined twice — resources block dropped (Copilot)
The last backup: definition wins, dropping fields from the first. Consolidate.

5. wordpress: defined twice — enableMultisite, wordpressTablePrefix, wordpressExtraWpConfigContent silently dropped (Copilot)
Second wordpress: overwrites the first. Merge into one block.

6. Top-level automountServiceAccountToken: false unused by templates (Copilot)
Templates reference .Values.wordpress.security.automountServiceAccountToken and .Values.serviceAccount.automount. The top-level key is dead config. Remove it or wire it into the appropriate template.

7. APACHE_HTTP_PORT: 8080 vs container port 80 (Copilot, @ncimino)
The container port, Service targetPort, and probes are all configured for port 80, but APACHE_HTTP_PORT is 80 (changed from the safer 8080). Port 80 requires root — this is the opposite of hardening. @ncimino notes: "APACHE_HTTP_PORT was 8080 (non-privileged → can run as non-root); now 80 (privileged → needs root)." Either keep 8080 and adjust the Service/probes, or document the explicit decision to run as root for Apache port binding.

8. wordpress.security runs as root (Copilot)
runAsUser: 0, runAsGroup: 0, runAsNonRoot: false conflicts with the repo's PSS restricted hardening goal. This is compounded by item 7 above. Document the exception explicitly if root is intentionally required for Apache port 80 binding.

wordpress/helm/templates/ingress.yaml

9. TLS 1.2 included — should be TLSv1.3 only (Copilot)
ssl-protocols: "TLSv1.2 TLSv1.3" — every other chart in this repo enforces TLS 1.3 only. Change to "TLSv1.3".

10. server-snippet annotation disabled by default in ingress-nginx ≥1.9 (Copilot, @ncimino)
After CVE-2022-4886 / CVE-2023-5043, ingress-nginx ships with --allow-snippet-annotations=false as default. This annotation will be silently ignored or rejected by a security-hardened ingress. Make it opt-in via a values flag.

11. Block list sparse — missing common attack paths (@ncimino)
The server-snippet block protects some paths but is missing: xmlrpc.php (defense-in-depth alongside the disableXmlRpc mu-plugin), wp-config.php, and wp-login.php rate limiting. Add these for a complete hardening pass.

12. Missing standard security response headers (@ncimino)
A hardening PR should add X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Content-Security-Policy headers. These are standard for HTTPS-terminating ingresses and align with SOC2 CC6.8.

13. TLS secret hardcoded as wordpress-tls (Copilot)
secretName: wordpress-tls is hardcoded. values-ptoken.yaml and values-burnedout.yaml set ingress.tls[0].secretName to site-specific values, but the template ignores them. Parameterize to iterate over .Values.ingress.tls.

wordpress/helm/templates/php-config-configmap.yaml

14. auto_prepend_file points to wordfence-waf.php — file won't exist on fresh deploys (Copilot, @ncimino)
/var/www/html/wordfence-waf.php is created by Wordfence WAF installer. Until Wordfence is installed, this generates PHP warnings on every request (or breaks execution depending on error handling). Gate behind a values flag (e.g., wordpress.wordfence.enabled).

wordpress/helm/values-ptoken.yaml and values-burnedout.yaml

15. tls: list silently rejected by Helm (@ncimino)
helm lint -f values-burnedout.yaml (and ptoken equivalent) emits a warning: cannot overwrite table with non table for wordpress.ingress.tls. The tls: list override fails silently — secretName is ignored, rendered Ingress uses hardcoded wordpress-tls. Fix item 13 above to resolve this.

---

🔒 Trivy / Security Scan Findings

16. wordpress/helm/templates/mu-plugins-configmap.yaml — ConfigMap with sensitive content (Trivy AVD-KSV-01010, MEDIUM)
Trivy flagged potential sensitive content in the ConfigMap. Review what's stored in wordpress-mu-plugins and ensure no credentials, API keys, or secrets are embedded. Use Kubernetes Secrets or ExternalSecrets for sensitive values.

17. vaultwarden/helm/templates/configmap.yaml — ConfigMap with sensitive content (Trivy AVD-KSV-01010, MEDIUM)
Same finding for the vaultwarden ConfigMap. This file is in scope here because it's touched by this PR's branch. Verify no sensitive data is stored in plain ConfigMap fields.

---

📋 Documentation

18. Chart version 3.2.7 has no corresponding CHANGELOG entry
(Note: @ncimino retracted the version regression concern — 3.2.6 → 3.2.7 bump is correct. However, wordpress/CHANGELOG.md still needs a ## [3.2.7] entry describing the hardening changes for the documentation validation CI check to pass.)

---

Summary

The duplicate YAML key issues (items 1–6) are the most critical — they silently disable NetworkPolicy and drop configuration. Items 9–12 are security/hardening regressions in a PR that is explicitly a hardening pass. Items 14–15 will cause PHP errors on fresh deploys. The Trivy findings and CHANGELOG gap need resolution before merge to main. All Copilot and @ncimino inline comments remain unresolved. @mshahid538 please address before re-requesting review.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.

Dismissing: reviewer has left the company. All flagged items have been addressed in commits 8249072, 63cf42a, cc891af — stale items resolved in 994c8be, by-design items documented.

[ncimino]

we reviewed in standup