Security hardening: container images, RBAC, secrets, network policies, dependency CVE patches#259
Open
devin-ai-integration[bot] wants to merge 5 commits into
Open
Conversation
…R, replace deprecated openjdk - Pin maven:3.8.3-openjdk-17 to SHA digest in Dockerfile build stage - Replace deprecated openjdk:17-alpine with eclipse-temurin:17-jre-alpine pinned to SHA - Add non-root USER directive (appuser) per CIS Docker Benchmark 4.1 - Strip unnecessary OS packages and caches from final image - Pin mysql:8.0 to SHA digest in K8s manifests, docker-compose, and Helm values - Pin busybox:1.28 init container to SHA digest in Helm template Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…-scoped Roles - Create bankapp-sa and mysql-sa ServiceAccounts with automountServiceAccountToken: false - Add namespace-scoped Roles granting minimal read-only access to ConfigMaps/Secrets - Bind via RoleBindings (not ClusterRoleBindings) to enforce least-privilege - Update both raw K8s manifests and Helm templates consistently Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
… injection
- Replace hardcoded password in application.properties with Spring ${SPRING_DATASOURCE_PASSWORD} placeholder
- Remove plaintext password comments from kubernetes/secrets.yaml
- Replace plaintext passwords in Helm values.yaml with CHANGEME placeholders
- Add .env.example documenting required env vars for docker-compose
- Add .env to .gitignore to prevent accidental credential commits
- Add comments recommending external secrets operator for production use
Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…d isolation - Add default-deny-all policy for bankapp-namespace (ingress + egress) - Allow bankapp ingress only from ingress-nginx namespace on port 8080 - Allow bankapp egress only to MySQL (port 3306) and DNS (port 53) - Allow MySQL ingress only from bankapp pods on port 3306 - Restrict MySQL egress to DNS only, preventing outbound data exfiltration - Matching Helm templates added for consistency with GitOps pipeline Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
…connector to fix CVEs Patched vulnerabilities (CVSS >= 7.0): - CVE-2026-22733 (CVSS 8.2 HIGH): Actuator authentication bypass via CloudFoundry endpoints Fixed in Spring Boot >= 3.5.12 - CVE-2026-40972 (CVSS 7.5 HIGH): Timing attack on remote secret enabling RCE Fixed in Spring Boot >= 3.5.14 - CVE-2026-40973 (CVSS 7.0 HIGH): ApplicationTemp directory hijack for session theft Fixed in Spring Boot >= 3.5.14 Additional dependency fixes: - Migrated mysql:mysql-connector-java 8.0.33 (EOL artifact) to com.mysql:mysql-connector-j 9.7.0 (version managed by Spring Boot BOM) - Removed maven-compiler-plugin 3.8.0 override that forced Java 1.8 source/target; Spring Boot parent POM now drives compilation via java.version=17 - Updated Hibernate dialect from deprecated MySQL8Dialect to MySQLDialect Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive security remediation across five categories, addressing the highest-priority vulnerabilities in infrastructure and application code while preserving the existing ArgoCD GitOps deployment workflow.
Addressed Vulnerabilities
ApplicationTempdirectory hijack → session theftopenjdk:17-alpineis EOL, no security patcheseclipse-temurin:17-jre-alpineUSER appuserTest@123in source, manifests, Helm valuesmysql-connector-javamysql:mysql-connector-java:8.0.33)com.mysql:mysql-connector-j(9.7.0 via BOM)Changes by commit (security category)
1. Container hardening —
Dockerfile,docker-compose.yml, K8s/Helm manifestsmaven,eclipse-temurin,mysql,busybox) to SHA digestsopenjdk:17-alpine→eclipse-temurin:17-jre-alpine(actively maintained)USER appuser(non-root) + strip OS caches2. RBAC — new
kubernetes/rbac.yaml,helm/bankapp/templates/rbac.ymlbankapp-sa/mysql-saServiceAccounts withautomountServiceAccountToken: falseRole+RoleBinding(never ClusterRoleBinding)3. Secrets —
application.properties,secrets.yaml,values.yaml,.env.example.envto.gitignore, created.env.exampletemplate4. Network policies — new
kubernetes/network-policies.yaml,helm/bankapp/templates/networkPolicies.ymlbankapp-namespacebankapp: ingress fromingress-nginxonly; egress tomysql:3306+ DNS onlymysql: ingress frombankapppods only; egress DNS only5. Dependency patches —
pom.xml,application.propertiesmysql:mysql-connector-java:8.0.33→com.mysql:mysql-connector-j(BOM-managed 9.7.0)maven-compiler-plugin3.8.0 override (was forcing Java 1.8 source/target)MySQL8Dialect→MySQLDialectLink to Devin session: https://app.devin.ai/sessions/4c9f4533b14a4c6382e1731225ce5f9b
Requested by: @achalc
Devin Review