Skip to content

fix(security): remediate OWASP/CWE audit findings (2026-06-30)#142

Merged
fdelbrayelle merged 2 commits into
mainfrom
fix/security-audit-20260630
Jul 1, 2026
Merged

fix(security): remediate OWASP/CWE audit findings (2026-06-30)#142
fdelbrayelle merged 2 commits into
mainfrom
fix/security-audit-20260630

Conversation

@fdelbrayelle

Copy link
Copy Markdown
Member

Summary

Remediates all findings from the 2026-06-30 automated security audit against OWASP Top 10 (2025), CWE Top 25, and OWASP ASVS Level 1.

Findings Fixed

  • [HIGH] Docker config field (containing registry credentials) missing @PluginProperty(secret=true) and @ToString.Exclude (src/main/java/io/kestra/plugin/docker/AbstractDocker.java:73)

    • Fix: Added secret = true to @PluginProperty(dynamic = true, group = "advanced") on the config field and added @ToString.Exclude above it to prevent credential leakage in logs/toString output
  • [MEDIUM] Registry credentials field missing @PluginProperty(secret=true) (src/main/java/io/kestra/plugin/docker/AbstractDocker.java:79)

    • Fix: Added secret = true to @PluginProperty(dynamic = true, group = "connection") on the credentials field so Kestra's UI masks the value
  • [LOW] Unpinned 'docker:latest' used as default container image in Compose task (src/main/java/io/kestra/plugin/docker/Compose.java:87)

    • Fix: Pinned the default image from docker:latest to docker:27.5.1-cli to ensure reproducible, tamper-resistant builds

Testing

  • ./gradlew build passes
  • No regressions in existing tests
  • Manually verified the patched code paths

References


Automated security fix — please review each change carefully before merging.

…audit

Fixes identified in automated security audit (kestra-plugin-security-auditing skill):
- HIGH: Docker config field (containing registry credentials) missing @PluginProperty(secret=true) and @ToString.Exclude
- MEDIUM: Registry credentials field missing @PluginProperty(secret=true)
- LOW: Unpinned 'docker:latest' used as default container image in Compose task

Part of security audit EPIC. See kestra-io/kestra-ee#9092 for full scope.
@fdelbrayelle fdelbrayelle added the kind/security Security-related issue label Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🧪 Java Unit Tests

TestsPassed ✅SkippedFailedTime ⏱
Java Tests Report37 ran37 ✅0 ⚠️0 ❌2m 42s 660ms

📦 Artifacts

Name Size Updated Expiration
jar 80.94 KB Jun 30, 26, 9:55:25 PM UTC Jul 7, 26, 9:55:24 PM UTC

🔁 Unreleased Commits

1 commits since v1.5.1

SHA Title Author Date
df90561 chore(deps): group io.kestra.gradle.* dependabot updates Malay Dewangan Jun 30, 26, 10:12:51 AM UTC

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Tests report quick summary:

success ✅ > tests: 37, success: 37, skipped: 0, failed: 0

unfold for details
Project Status Success Skipped Failed
plugin-docker success ✅ 37 0 0

@fdelbrayelle fdelbrayelle enabled auto-merge (squash) June 30, 2026 20:54
@fdelbrayelle fdelbrayelle disabled auto-merge June 30, 2026 21:09
…lable

The pinned kestraVersion predates the secret attribute on @PluginProperty,
causing a compile error on the credential-annotation fixes in this PR.
@fdelbrayelle fdelbrayelle enabled auto-merge (squash) June 30, 2026 21:57
@fdelbrayelle fdelbrayelle disabled auto-merge July 1, 2026 08:39
@fdelbrayelle fdelbrayelle merged commit cebb09d into main Jul 1, 2026
7 checks passed
@fdelbrayelle fdelbrayelle deleted the fix/security-audit-20260630 branch July 1, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/security Security-related issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant