Skip to main content

Security

Full-codebase security audit, fully remediated. Riftmap’s second full-codebase audit (after April 2026) covered the backend, the scanner pipeline that handles untrusted repository content, the frontend, dependencies, and infrastructure. It found no critical issues, and every finding — three high, six medium, and a tail of low-severity hardening items — was fixed with an accompanying regression test before the record was published. The complete remediation record is public in the repository; the control-by-control summary is the verified-controls table in docs/security.md. Two changes are visible in the API and worth calling out for integrators:
  • Configuration mutations now require the Owner or Admin role (session auth). POST /connected-orgs (registering an org), POST /connected-orgs/{id}/scans (triggering a scan), and creating or rotating workspace API keys (including the deprecated /api-key/regenerate) return 403 for plain members. Workspace API keys are owner-equivalent and unaffected — CI pipelines keep working unchanged. Cancelling an in-flight scan deliberately remains member-permitted.
  • Connected-org URLs are validated against SSRF. The PAT-mode url must be a public https:// host; addresses resolving to private, loopback, link-local, or cloud-metadata ranges return 422 at registration and are re-checked at scan time. Self-hosted GitLab / GitHub Enterprise on a public address is unaffected; self-hosted Riftmap deployments scanning an internal platform can opt out with SCAN_ALLOW_PRIVATE_HOSTS=true.
Under the hood, the same wave hardened the scanner against hostile repository content (symlinks are neutralised at clone time, file walks never read outside the clone tree, and working trees above a size cap are rejected), made password-reset links single-use, equalised login timing so response latency can’t reveal whether an email is registered, and added a Content-Security-Policy to the app document at app.riftmap.dev (rolling out report-only, then enforcing).