fix: remediate all 24 security vulnerabilities#2
Open
gadaugherty wants to merge 10 commits intomain-insecurefrom
Open
fix: remediate all 24 security vulnerabilities#2gadaugherty wants to merge 10 commits intomain-insecurefrom
gadaugherty wants to merge 10 commits intomain-insecurefrom
Conversation
- README.md: Architecture, 11 ADRs, pipeline enforcement policy - VULNERABILITIES.md: 24 planted vulnerabilities with CWE refs - .gitleaks.toml: Secret detection config with doc allowlist - .trivyignore: Dependency vulnerability exception template - .github/pull_request_template.md: Security checklist - Pipeline: replaced broken actions with CLI installs (gitleaks, semgrep, gosec all use direct CLI now)
Application Layer: - VULN-001: Parameterized SQL queries (auth-api + payments) - VULN-002: JWT secret from environment variable - VULN-003: DB credentials from environment variables - VULN-004: PBKDF2-HMAC-SHA256 password hashing with per-user salt - VULN-005: JWT authentication middleware on sensitive endpoints - VULN-006: Authorization checks prevent IDOR - VULN-007: Removed dangerouslySetInnerHTML, use text content - VULN-008: Generic error messages, detailed logging server-side - VULN-009: debug=False, gunicorn in production - VULN-010: JWT exp claim (1 hour expiry) - VULN-011: Redacted sensitive data from logs Infrastructure Layer: - VULN-012: S3 public access block, KMS encryption, versioning - VULN-013: RDS private subnet, encryption at rest, deletion protection - VULN-014: Restrictive security groups, VPC flow logs - VULN-015: Least-privilege IAM policies - VULN-016: EKS private endpoint, KMS secrets encryption, audit logging Container Layer: - VULN-017: Non-root users (appuser/65534/nginx-unprivileged) - VULN-018: Removed chmod 777, restrictive permissions - VULN-019: Pinned base images, multi-stage builds, distroless Kubernetes Layer: - VULN-020: Kubernetes Secrets with secretKeyRef - VULN-021: Security context (privileged:false, drop ALL capabilities) - VULN-022: CPU/memory requests and limits - VULN-023: Default-deny NetworkPolicy with explicit allow rules - VULN-024: ClusterIP services (removed LoadBalancer) Dependencies: - Python: pinned all deps, python:3.13-slim + apt-get upgrade - Frontend: npm overrides for transitive CVEs, package-lock.json - .trivyignore: PyJWT CVE-2026-32597 (no fix available)
.gitleaks.toml: allowlist docker-compose.yml and kubernetes/base/secrets.yml (local dev credentials and K8s secret placeholders) .trivyignore: add CVE exceptions with justifications - CVE-2026-32597: PyJWT (no fix available, 2.12.0 unreleased) - GHSA-5c6j-r48x-rmvq: serialize-javascript (build-time only) - CVE-2026-27601: underscore (build-time only)
The aquasecurity/trivy-action does not pass .trivyignore to the scanner. Replaced with direct Trivy CLI installation and execution for both SCA (filesystem) and container scans. SCA: trivy fs --ignorefile .trivyignore --exit-code 1 (blocks on CRITICAL/HIGH) Container: trivy image --ignore-unfixed --exit-code 0 (warnings only)
v0.58.1 has an older vulnerability DB that doesn't match the CVE IDs in .trivyignore. Using latest ensures DB compatibility with our ignore entries.
- payments/go.sum: regenerated with go mod tidy (fixes checksum mismatch) - frontend/package-lock.json: regenerated with npm ci (fixes build failure)
serialize-javascript>=7.0.3 requires the crypto global which is only available in Node 20+. Node 18 throws ReferenceError: crypto is not defined.
- DB schema: account_number column, transactions use account numbers - Auth API: returns account_number, generates on registration - Payments: uses from_account/to_account with parameterized queries - Frontend: same UI as insecure branch (account numbers, chatbot, settings) - .gitignore: exclude .venv, node_modules, build artifacts
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # VULNERABILITY: Debug mode enabled in production (CWE-489) | ||
| app.run(host="0.0.0.0", port=5000, debug=True) | ||
| # FIX: Debug mode disabled | ||
| app.run(host="0.0.0.0", port=5000, debug=False) |
Comment on lines
+36
to
+40
| resource "aws_kms_key" "eks" { | ||
| description = "EKS cluster secrets encryption" | ||
| deletion_window_in_days = 7 | ||
| enable_key_rotation = true | ||
| } |
Comment on lines
+80
to
+99
| resource "aws_security_group" "eks_cluster" { | ||
| name = "vulnbank-eks-cluster" | ||
| description = "EKS cluster security group" | ||
| vpc_id = aws_vpc.main.id | ||
|
|
||
| # Only allow node group to communicate with control plane | ||
| ingress { | ||
| from_port = 443 | ||
| to_port = 443 | ||
| protocol = "tcp" | ||
| security_groups = [aws_security_group.eks_nodes.id] | ||
| } | ||
|
|
||
| egress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = [aws_vpc.main.cidr_block] | ||
| } | ||
| } |
Comment on lines
+101
to
+121
| resource "aws_security_group" "eks_nodes" { | ||
| name = "vulnbank-eks-nodes" | ||
| description = "EKS node group security group" | ||
| vpc_id = aws_vpc.main.id | ||
|
|
||
| # Nodes communicate with each other | ||
| ingress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| self = true | ||
| } | ||
|
|
||
| # Nodes communicate with control plane | ||
| egress { | ||
| from_port = 443 | ||
| to_port = 443 | ||
| protocol = "tcp" | ||
| security_groups = [aws_security_group.eks_cluster.id] | ||
| } | ||
| } |
Comment on lines
+101
to
+121
| resource "aws_security_group" "eks_nodes" { | ||
| name = "vulnbank-eks-nodes" | ||
| description = "EKS node group security group" | ||
| vpc_id = aws_vpc.main.id | ||
|
|
||
| # Nodes communicate with each other | ||
| ingress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| self = true | ||
| } | ||
|
|
||
| # Nodes communicate with control plane | ||
| egress { | ||
| from_port = 443 | ||
| to_port = 443 | ||
| protocol = "tcp" | ||
| security_groups = [aws_security_group.eks_cluster.id] | ||
| } | ||
| } |
Comment on lines
+22
to
+25
| resource "aws_cloudwatch_log_group" "flow_logs" { | ||
| name = "/vpc/vulnbank-flow-logs" | ||
| retention_in_days = 90 | ||
| } |
Comment on lines
+48
to
+50
| resource "aws_s3_bucket" "logs" { | ||
| bucket = "vulnbank-access-logs" | ||
| } |
Comment on lines
+48
to
+50
| resource "aws_s3_bucket" "logs" { | ||
| bucket = "vulnbank-access-logs" | ||
| } |
Comment on lines
+48
to
+50
| resource "aws_s3_bucket" "logs" { | ||
| bucket = "vulnbank-access-logs" | ||
| } |
Comment on lines
+48
to
+50
| resource "aws_s3_bucket" "logs" { | ||
| bucket = "vulnbank-access-logs" | ||
| } |
Comment on lines
+48
to
+50
| resource "aws_s3_bucket" "logs" { | ||
| bucket = "vulnbank-access-logs" | ||
| } |
Resolves conflicts keeping secure backend code while adopting the updated frontend UI (account numbers, chatbot, settings).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Remediation
Fixes all 24 vulnerabilities identified in the security audit.
Pipeline Results
Changes
Application (auth-api, payments):
Infrastructure (terraform):
Containers (Dockerfiles):
Kubernetes:
See VULNERABILITIES.md for the complete catalog of 24 vulnerabilities.