Skip to content

Security hardening: container images, RBAC, secrets, network policies, dependency CVE patches#259

Open
devin-ai-integration[bot] wants to merge 5 commits into
DevOpsfrom
devin/1782319621-security-hardening
Open

Security hardening: container images, RBAC, secrets, network policies, dependency CVE patches#259
devin-ai-integration[bot] wants to merge 5 commits into
DevOpsfrom
devin/1782319621-security-hardening

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Comprehensive security remediation across five categories, addressing the highest-priority vulnerabilities in infrastructure and application code while preserving the existing ArgoCD GitOps deployment workflow.

Addressed Vulnerabilities

CVE / Finding Severity Category Fix
CVE-2026-22733 HIGH (8.2) Actuator auth bypass via CloudFoundry endpoints Spring Boot 3.3.3 → 3.5.15
CVE-2026-40972 HIGH (7.5) Timing attack on remote secret → potential RCE Spring Boot 3.3.3 → 3.5.15
CVE-2026-40973 HIGH (7.0) ApplicationTemp directory hijack → session theft Spring Boot 3.3.3 → 3.5.15
Deprecated base image HIGH openjdk:17-alpine is EOL, no security patches Replaced with eclipse-temurin:17-jre-alpine
Unpinned container images MEDIUM Tag-mutation supply-chain risk All images pinned to SHA digests
Container runs as root HIGH CIS Docker Benchmark 4.1 violation Added non-root USER appuser
Hardcoded credentials CRITICAL Test@123 in source, manifests, Helm values Env-var injection + external secrets pattern
No RBAC HIGH Pods use default SA with potential cluster-wide perms Dedicated SAs + namespace-scoped Roles
No network segmentation HIGH Any pod can reach MySQL or bankapp unrestricted Default-deny + allow-list NetworkPolicies
Legacy mysql-connector-java MEDIUM EOL artifact (mysql:mysql-connector-java:8.0.33) Migrated to com.mysql:mysql-connector-j (9.7.0 via BOM)

Changes by commit (security category)

1. Container hardeningDockerfile, docker-compose.yml, K8s/Helm manifests

  • Pin all base images (maven, eclipse-temurin, mysql, busybox) to SHA digests
  • Replace openjdk:17-alpineeclipse-temurin:17-jre-alpine (actively maintained)
  • Add USER appuser (non-root) + strip OS caches

2. RBAC — new kubernetes/rbac.yaml, helm/bankapp/templates/rbac.yml

  • bankapp-sa / mysql-sa ServiceAccounts with automountServiceAccountToken: false
  • Namespace-scoped Role + RoleBinding (never ClusterRoleBinding)
  • Minimal permissions: read-only ConfigMaps/Secrets

3. Secretsapplication.properties, secrets.yaml, values.yaml, .env.example

- spring.datasource.password=Test@123
+ spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
  • Removed plaintext password comments from K8s Secret and Helm values
  • Added .env to .gitignore, created .env.example template
  • Added comments recommending external secrets operator for production

4. Network policies — new kubernetes/network-policies.yaml, helm/bankapp/templates/networkPolicies.yml

  • Default-deny-all (ingress + egress) for bankapp-namespace
  • bankapp: ingress from ingress-nginx only; egress to mysql:3306 + DNS only
  • mysql: ingress from bankapp pods only; egress DNS only

5. Dependency patchespom.xml, application.properties

  • Spring Boot 3.3.3 → 3.5.15 (fixes all three CVEs above)
  • mysql:mysql-connector-java:8.0.33com.mysql:mysql-connector-j (BOM-managed 9.7.0)
  • Removed maven-compiler-plugin 3.8.0 override (was forcing Java 1.8 source/target)
  • Updated Hibernate dialect: MySQL8DialectMySQLDialect

Link to Devin session: https://app.devin.ai/sessions/4c9f4533b14a4c6382e1731225ce5f9b
Requested by: @achalc


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

devin-ai-integration Bot and others added 5 commits June 24, 2026 16:47
…R, replace deprecated openjdk

- Pin maven:3.8.3-openjdk-17 to SHA digest in Dockerfile build stage
- Replace deprecated openjdk:17-alpine with eclipse-temurin:17-jre-alpine pinned to SHA
- Add non-root USER directive (appuser) per CIS Docker Benchmark 4.1
- Strip unnecessary OS packages and caches from final image
- Pin mysql:8.0 to SHA digest in K8s manifests, docker-compose, and Helm values
- Pin busybox:1.28 init container to SHA digest in Helm template

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…-scoped Roles

- Create bankapp-sa and mysql-sa ServiceAccounts with automountServiceAccountToken: false
- Add namespace-scoped Roles granting minimal read-only access to ConfigMaps/Secrets
- Bind via RoleBindings (not ClusterRoleBindings) to enforce least-privilege
- Update both raw K8s manifests and Helm templates consistently

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
… injection

- Replace hardcoded password in application.properties with Spring ${SPRING_DATASOURCE_PASSWORD} placeholder
- Remove plaintext password comments from kubernetes/secrets.yaml
- Replace plaintext passwords in Helm values.yaml with CHANGEME placeholders
- Add .env.example documenting required env vars for docker-compose
- Add .env to .gitignore to prevent accidental credential commits
- Add comments recommending external secrets operator for production use

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…d isolation

- Add default-deny-all policy for bankapp-namespace (ingress + egress)
- Allow bankapp ingress only from ingress-nginx namespace on port 8080
- Allow bankapp egress only to MySQL (port 3306) and DNS (port 53)
- Allow MySQL ingress only from bankapp pods on port 3306
- Restrict MySQL egress to DNS only, preventing outbound data exfiltration
- Matching Helm templates added for consistency with GitOps pipeline

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…connector to fix CVEs

Patched vulnerabilities (CVSS >= 7.0):
- CVE-2026-22733 (CVSS 8.2 HIGH): Actuator authentication bypass via CloudFoundry endpoints
  Fixed in Spring Boot >= 3.5.12
- CVE-2026-40972 (CVSS 7.5 HIGH): Timing attack on remote secret enabling RCE
  Fixed in Spring Boot >= 3.5.14
- CVE-2026-40973 (CVSS 7.0 HIGH): ApplicationTemp directory hijack for session theft
  Fixed in Spring Boot >= 3.5.14

Additional dependency fixes:
- Migrated mysql:mysql-connector-java 8.0.33 (EOL artifact) to com.mysql:mysql-connector-j 9.7.0
  (version managed by Spring Boot BOM)
- Removed maven-compiler-plugin 3.8.0 override that forced Java 1.8 source/target;
  Spring Boot parent POM now drives compilation via java.version=17
- Updated Hibernate dialect from deprecated MySQL8Dialect to MySQLDialect

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
@achalc achalc self-assigned this Jun 24, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant