Skip to content

fix(calm-hub): security hardening for ec2 stack and read-only deployment#2798

Merged
rocketstack-matt merged 3 commits into
finos:mainfrom
jpgough-ms:fable-scan
Jul 10, 2026
Merged

fix(calm-hub): security hardening for ec2 stack and read-only deployment#2798
rocketstack-matt merged 3 commits into
finos:mainfrom
jpgough-ms:fable-scan

Conversation

@jpgough-ms

Copy link
Copy Markdown
Member

Description

Security scan of calm-hub/ec2/ and the calm-hub read-only deployment, with the low-risk hardening applied. Read-only enforcement itself was assessed as robust (global @PreMatching verb filter + NitriteDB opened readOnly(true) + chmod 0444 DB file — no per-endpoint gaps found).

Fixed:

  • Pin nickfedor/watchtower to 1.19.0 — the container holding the Docker socket no longer auto-tracks a mutable latest tag (Watchtower never updates itself, so the pin is stable; bump instructions in compose comment + README)
  • Add no-new-privileges + cap_drop: ALL to both ec2 services; read_only rootfs + tmpfs /tmp on calm-hub (native binary, baked-in read-only DB — nothing writes to disk)
  • Vendor the Docker Compose v2.32.4 per-arch SHA256 checksums into install.sh — previously fetched from the same host as the binary, which only proves transport integrity
  • Add X-Content-Type-Options: nosniff + Referrer-Policy: no-referrer response headers (all profiles) and include HEAD in the header filter's method list
  • Add /api/calm/*authenticated path policy to the secure profile — safety net so a future unannotated endpoint is rejected rather than silently unauthenticated (every current method is annotated; no behaviour change)
  • Fix ec2 README Watchtower GitHub link (nickfedornicholas-fedor; old link 404s)

Reviewed and accepted, no change (by design):

  • Watchtower Docker socket mount (documented in ec2 README security note)
  • Auto-deploy from mutable latest-read-only-native tag (this is the feature; sha-* pinning documented)
  • Open auth + Swagger UI on the public read-only image (genuinely public service)
  • Plain HTTP on :80 (TLS terminates upstream)

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Schema (calm/)
  • CALM AI (calm-ai/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • CALM Server (calm-server/)
  • CALM Widgets (calm-widgets/)
  • Documentation (docs/)
  • Shared (shared/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Commit Message Format ✅

  • fix(calm-hub): harden ec2 compose stack and pin watchtower
  • fix(calm-hub): add nosniff and referrer-policy security headers
  • fix(calm-hub): add authenticated path policy for /api/calm in secure profile

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Verification performed:

  • ../mvnw clean verify -Ddependency-check.skip=true — 2143 tests, 0 failures, JaCoCo coverage check green
  • Hardened compose stack booted locally with the published latest-read-only-native image; full smoke-test.sh readonly passed (all 405 assertions intact); Watchtower 1.19.0 healthy under cap_drop: ALL
  • Response headers asserted via curl on GET and HEAD against the packaged jar (standalone profile) and covered by TestSecurityResponseHeadersShould
  • Vendored checksums cross-checked against freshly downloaded v2.32.4 release binaries; bash -n install.sh clean

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

@github-actions github-actions Bot added the calm-hub Affects `calm-hub` label Jul 10, 2026
@jpgough-ms jpgough-ms marked this pull request as ready for review July 10, 2026 15:51

@rocketstack-matt rocketstack-matt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the checksums vendored in install.sh against the real docker/compose v2.32.4 .sha256 release assets (match), confirmed the corrected watchtower README link resolves, and confirmed every handler under /api/calm/* already carries @authenticated or @PermissionsAllowed so the new coarse policy is a true no-op safety net.

@rocketstack-matt rocketstack-matt merged commit d249a3d into finos:main Jul 10, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

calm-hub Affects `calm-hub`

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants