You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Batch of three findings from the 2026-05-04 owner-self code audit.
#71 (HIGH) — Dockerfile ran as root with no HEALTHCHECK (trivy DS002 +
semgrep dockerfile.security.missing-user). Added a dedicated UID 10001
user (primary group root for arbitrary-UID platform compatibility),
chown the app dir, switch USER, and add a HEALTHCHECK against the real
endpoint (port 8080, /health). Healthcheck uses a stdlib urllib
one-liner instead of curl to avoid adding a package to the slim base
image (no new deps). Dockerfile.test left as root by design: it only
runs pytest (editable install + writes caches/artifacts under /app), so
a non-root switch adds risk with no production-surface benefit.
#72 (MEDIUM) — semgrep python-logger-credential-disclosure flagged 6
logger calls (credentials.py:66,88,104,129,145 + blockchain.py:96).
Reviewed each: all log only credential IDs and service-generated error
strings — never the credential body, signature, or key. No real leak.
Added inline nosemgrep with a per-line rationale stating what is logged.
#73 (LOW) — annotated the two intentional unverified jwt.decode calls in
auth/token_parser.py (token-shape detection + claim extraction for
identity bridging; real EdDSA signature verification happens in
services/delegation_service.py and auth/crypto.py) with nosemgrep +
explanatory comments. Renamed synthetic test fixtures that tripped
gitleaks generic-api-key (test_identity.py, test_advanced_personas.py,
simulate_users.py) to obvious sk-FAKE-fixture-* names; preserved the
masking assertions in test_identity.py.
Closes#71Closes#72Closes#73
Copy file name to clipboardExpand all lines: attestix/api/routers/credentials.py
+5Lines changed: 5 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -63,6 +63,7 @@ def issue_credential(
63
63
expiry_days=body.expiry_days,
64
64
)
65
65
ifisinstance(result, dict) and"error"inresult:
66
+
# nosemgrep: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure -- logs the service error string only; no credential body/signature/key
# nosemgrep: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure -- logs the service error string only; no credential body/signature/key
# nosemgrep: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure -- logs the service error string only; no credential body/signature/key
0 commit comments