sahib-sawhney-wh/dapr-security-scanner

DAPR Security Scanner

Proactively scan DAPR configurations for security vulnerabilities and best practice violations.

When to Activate

This skill should be invoked:

• When component YAML files are created or modified
• When the user asks about security concerns
• Before deployment to production
• During code review of DAPR configurations

Security Checks

1. Plain-Text Secrets Detection

Scan for hardcoded credentials in component files:

# BAD - Plain text secret
- name: connectionString
  value: "Server=myserver;Password=secret123"

# GOOD - Using secret reference
- name: connectionString
  secretKeyRef:
    name: db-secrets
    key: connectionString

Check for:

• password, secret, key, token, credential in value fields
• Connection strings with embedded passwords
• API keys in plain text
• Base64-encoded secrets (still exposed)

2. Missing Secret Store References

Verify sensitive fields use secretKeyRef:

# Required for these field patterns:
- *password*
- *secret*
- *key* (except keyName for crypto)
- *token*
- *credential*
- connectionString
- accessKey
- apiKey

3. Component Scope Validation

Check that sensitive components have scopes defined:

# Components requiring scopes:
- secretstores.* - MUST have scopes
- state.* with sensitive data - SHOULD have scopes
- pubsub.* - SHOULD have scopes
- bindings.* with write access - SHOULD have scopes

4. Managed Identity Recommendations

Flag connection string usage when managed identity is available:

# Azure components should prefer:
- azureClientId (for managed identity)
# Over:
- connectionString
- accountKey

5. ACL Configuration

Verify access control is properly configured:

• Check for accessControl in Configuration resources
• Verify defaultAction: deny is set
• Ensure service-specific policies exist

6. mTLS Configuration

Check mutual TLS settings:

spec:
  mtls:
    enabled: true  # Should be true for production

7. Resiliency Policy Validation

Verify resiliency policies exist for production:

• Check for Resiliency resource
• Verify circuit breakers for external services
• Check retry policies have reasonable limits

Scanning Commands

Scan Single File

python scripts/security-scan.py path/to/component.yaml

Scan All Components

python scripts/security-scan.py components/

Generate Report

python scripts/security-scan.py --report security-report.json

Severity Levels

| Severity | Description | Examples | |----------|-------------|----------| | CRITICAL | Immediate security risk | Plain-text passwords, exposed API keys | | HIGH | Significant vulnerability | Missing scopes on secret stores, no mTLS | | MEDIUM | Security improvement needed | No resiliency policies, missing ACLs | | LOW | Best practice recommendation | Using connection strings vs managed identity |

Report Format

{
  "scan_time": "2024-01-01T12:00:00Z",
  "files_scanned": 5,
  "issues": [
    {
      "severity": "CRITICAL",
      "file": "components/statestore.yaml",
      "line": 15,
      "message": "Plain-text password detected in 'redisPassword'",
      "recommendation": "Use secretKeyRef instead of value"
    }
  ],
  "summary": {
    "critical": 1,
    "high": 0,
    "medium": 2,
    "low": 3
  }
}

Auto-Fix Capabilities

For common issues, suggest automatic fixes:

Convert Plain-Text to SecretKeyRef

# Before
- name: password
  value: "mysecret"

# After (suggested)
- name: password
  secretKeyRef:
    name: app-secrets
    key: password

Add Missing Scopes

# Before
spec:
  type: secretstores.azure.keyvault
  ...

# After (suggested)
spec:
  type: secretstores.azure.keyvault
  ...
scopes:
  - app-id-1

Integration with CI/CD

The security scanner can be integrated into CI/CD pipelines:

# GitHub Actions example
- name: DAPR Security Scan
  run: python scripts/security-scan.py components/ --fail-on critical

Exit codes:

• 0: No issues or only LOW severity
• 1: MEDIUM or higher issues found
• 2: CRITICAL issues found