Security
Full-codebase security audit, fully remediated. Riftmap’s second full-codebase audit (after April 2026) covered the backend, the scanner pipeline that handles untrusted repository content, the frontend, dependencies, and infrastructure. It found no critical issues, and every finding — three high, six medium, and a tail of low-severity hardening items — was fixed with an accompanying regression test before the record was published. The complete remediation record is public in the repository; the control-by-control summary is the verified-controls table in docs/security.md. Two changes are visible in the API and worth calling out for integrators:- Configuration mutations now require the Owner or Admin role (session auth).
POST /connected-orgs(registering an org),POST /connected-orgs/{id}/scans(triggering a scan), and creating or rotating workspace API keys (including the deprecated/api-key/regenerate) return 403 for plain members. Workspace API keys are owner-equivalent and unaffected — CI pipelines keep working unchanged. Cancelling an in-flight scan deliberately remains member-permitted. - Connected-org URLs are validated against SSRF. The PAT-mode
urlmust be a publichttps://host; addresses resolving to private, loopback, link-local, or cloud-metadata ranges return 422 at registration and are re-checked at scan time. Self-hosted GitLab / GitHub Enterprise on a public address is unaffected; self-hosted Riftmap deployments scanning an internal platform can opt out withSCAN_ALLOW_PRIVATE_HOSTS=true.
app.riftmap.dev (rolling out report-only, then enforcing).