This is a portfolio reference repo. It is not deployed anywhere user-facing. The threat model is "a recruiter or interviewer clones it and runs make secure-mode on their laptop." Still, security issues matter — the repo's whole point is to demonstrate security engineering.
Use GitHub's private vulnerability reporting:
Include:
- A short description.
- The component (api / worker / Vault chart / Kyverno policy / Terraform / ...).
- Reproducer steps — ideally a failing
make smokeor a manifest that bypasses a policy. - Suggested fix if you have one.
I aim to acknowledge within 72 hours and fix critical issues within 30 days.
These are documented, deliberate trade-offs for portfolio scope. Please don't file reports on them — file PRs that fix them instead.
| Caveat | Why it's like this | Tracked in |
|---|---|---|
Vault runs in dev mode with root as the root token |
One-pod, in-memory storage; instant bring-up for the demo | ADR 0004 |
| Postgres ships with plaintext dev creds in Phase 1 | Deliberately shown as the before state that Vault replaces | ADR 0003, ADR 0004 |
| EKS cluster uses public subnets with no NAT Gateway | Demo cost discipline — would not be production-appropriate | infra/terraform/cloud/README.md |
enable_cluster_creator_admin_permissions = true on EKS |
Saves 20 minutes of aws-auth troubleshooting on the first apply | inline comment in main.tf |
Argo CD selfHeal: true |
Hostile-PR could be auto-reverted; safer for demo, weaker for real environments | comment in application.yaml |
- Admission policies that can be trivially bypassed.
- Helm chart values that materially weaken pod security (e.g. drops
runAsNonRoot). - Workflow secrets exposed in CI logs.
- Path traversal or arbitrary file overwrite via the smoke script or Makefile targets.
- Default Helm values that ship critical or high CVEs in the published images (the api/worker images, not postgres-upstream).
- "Vault root token is
root" — see caveat table. - "Postgres password is in plaintext" — see caveat table.
- Container CVEs in upstream images we don't build (postgres, kyverno, argocd). Report those to the upstream project.
- Theoretical issues without a concrete reproducer.
If you fork this and run it somewhere real (please don't), the minimum changes:
- Switch Vault to
ha.enabled=truewith Raft storage + KMS auto-unseal. - Delete the
app-postgresSecret and use Vault dynamic credentials for Postgres instead. - Replace EKS public subnets with private subnets + a single NAT (or VPC endpoints for ECR/STS/S3).
- Enable
enforce_admins=trueon branch protection. - Wire secure-supply-chain's
verify-signaturespolicy to replace the simpletrusted-registryKyverno policy. - Add NetworkPolicy default-deny in every namespace.
The repo's ADR 0002 explains the local-first/cloud-fluent design — none of these gaps are accidents.