Skip to content

security: address audit findings #4 #5 #6 #7#8

Merged
JoshLuedeman merged 1 commit into
mainfrom
security/audit-fixes
May 11, 2026
Merged

security: address audit findings #4 #5 #6 #7#8
JoshLuedeman merged 1 commit into
mainfrom
security/audit-fixes

Conversation

@JoshLuedeman

Copy link
Copy Markdown
Contributor

Summary

Addresses all 4 security findings from the prior audit pass.

Changes

Validation

  • All grep checks for old patterns return empty (StrictHostKeyChecking gone, mutable :latest replaced)
  • New patterns (digest pin, ssh-keyscan, SECURITY: TERRAFORM_PRE_RUN warning, filtered printenv) all present
  • Docker build not run locally (Docker daemon unavailable in this environment) — CI will validate

Closes #4, #5, #6, #7

- #4 Pin base image to digest (was mutable :latest tag)
- #5 Document TERRAFORM_PRE_RUN escape hatch risk in SECURITY.md + inline comment
- #6 Filter sensitive env vars from printenv debug output
- #7 Replace StrictHostKeyChecking no with hardcoded github.com known_hosts

Closes #4
Closes #5
Closes #6
Closes #7

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JoshLuedeman JoshLuedeman merged commit f2a1192 into main May 11, 2026
5 checks passed
@JoshLuedeman JoshLuedeman deleted the security/audit-fixes branch May 11, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: pin base image to versioned tag/digest instead of :latest

1 participant