security: harden TLS minimum version and k8s seccomp profiles (Fortify SCA triage)#7669
Merged
Merged
Conversation
Address Fortify SCA findings (scan 2026-06-01): - Insecure Transport: Weak SSL Protocol (Critical x2): enforce minVersion TLSv1.2 on the API and frontend HTTPS listeners so Node no longer negotiates down to SSLv3/TLSv1.0/TLSv1.1. - Kubernetes Improper Deployment/StatefulSet Access Control (High x4): add pod-level seccompProfile RuntimeDefault to the api, frontend, ingestion Deployments and the mongo StatefulSet. Adds SECURITY_REVIEW_Fortify_2026-06-02.md triaging all 58 findings (7 fixed, 36 already-mitigated/false-positive, 15 accepted/operational). https://claude.ai/code/session_012mFAbw8FoSFhsMaRRNHzx3
Per review feedback: some deployments still require older TLS versions and many terminate TLS at nginx/their webserver, so the API and frontend HTTPS servers must not hardcode minVersion TLSv1.2. Replace the forced minVersion with optional ssl.minVersion / ssl.maxVersion config keys (documented in both config.sample.js files). When unset -- the default -- Node keeps its built-in protocol range, so behavior is unchanged for existing deployments; operators who want to enforce a floor can opt in. k8s seccompProfile hardening retained. https://claude.ai/code/session_012mFAbw8FoSFhsMaRRNHzx3
ihaardik
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Triage and partial remediation of the Fortify SCA report (scan 2026‑06‑01, 58 findings: 23 Critical / 12 High / 7 Medium / 16 Low). Each finding was audited against the current tree (the scan was from an older snapshot — many line numbers no longer match).
Full per-finding write-up:
SECURITY_REVIEW_Fortify_2026-06-02.md.Changes in this PR
Insecure Transport: Weak SSL Protocol — Critical ×2
api/api.js,frontend/express/app.js: enforceminVersion: "TLSv1.2"on both HTTPS listeners so Node no longer negotiates down to SSLv3/TLSv1.0/TLSv1.1.Kubernetes Improper Deployment/StatefulSet Access Control — High ×4
Added pod-level
securityContext.seccompProfile.type: RuntimeDefaultto the api, frontend, ingestion Deployments and the mongo StatefulSet.Explicitly not changed (see report for rationale)
crashes-jiraRSA‑SHA1 is mandated by the Jira OAuth1 API.resolvePathInBase, Express{root}traversal rejection,delete password/api_keybefore output).USER root, apt pinning, Tiller RBAC, CORS header, HTTP fallback, postMessage*, CI test password — by-design, config-driven, test-only, or belong upstream / in a Helm-3 migration. 5 owner follow-ups listed in the report.Verification
🤖 Generated with Claude Code
https://claude.ai/code/session_012mFAbw8FoSFhsMaRRNHzx3
Generated by Claude Code