| Version | Supported |
|---|---|
| Latest | Yes |
If you discover a security vulnerability in Arq Signals, please report it responsibly:
- Do not open a public GitHub issue
- Email security@elevarq.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- We will acknowledge receipt within 48 hours
- We will provide a fix timeline within 5 business days
Arq Signals enforces read-only access through three independent layers:
- Static linting: All SQL queries are validated at startup. DDL, DML, and dangerous functions cause the process to abort immediately.
- Session-level: Connections use
default_transaction_read_only=on. - Per-query: Each query runs inside
BEGIN ... READ ONLY.
- Passwords are read from file or environment variable at connection time
- Passwords are never cached in memory beyond a single connection attempt
- Passwords are never written to SQLite
- Passwords are never included in snapshot exports
- Password rotation is supported (re-read on each connection)
- The HTTP API binds to a configurable address (default
127.0.0.1:8081) - Arq Signals makes no outbound network connections except to PostgreSQL targets
- No data is sent to external services, AI providers, or analytics platforms
- Snapshots contain only PostgreSQL statistics view data
- No credentials, DSNs, or secrets appear in exports
- SQLite database is stored locally with no remote replication
- Non-root runtime (UID 10001)
- Minimal Alpine base image
- No shell or compilers in production image