Skip to content

Security: MrAkashKumar/codePulse

Security

docs/SECURITY.md

Security Model

This library analyzes source code and produces reports that may contain architecture details, method names, file paths, and source snippets. Treat every generated report as internal engineering data.

Safe Defaults

  • redactSecrets: true
  • exposeSourceSnippets: false
  • exposeAbsolutePaths: false
  • allowSourceIncludesOutsideProject: false
  • apiAllowOrigin: ""
  • apiRequireToken: false

These defaults mean reports keep useful findings while reducing accidental exposure. Teams can enable snippets for trusted local debugging:

exposeSourceSnippets: true

Local API Exposure

The API server binds only to 127.0.0.1. It does not send Access-Control-Allow-Origin: *. If another local UI must call it, configure a single exact origin:

apiAllowOrigin: "http://127.0.0.1:3000"

Protect full report APIs in enterprise use:

apiRequireToken: true
apiAuthToken: "replace-with-a-secret-from-your-secret-manager"

Then call:

curl -H "Authorization: Bearer replace-with-a-secret-from-your-secret-manager" \
  http://127.0.0.1:8765/api/report

Token-protected endpoints:

  • /api/report
  • /api/findings

The dashboard, summary, analytics, MCP status, and health endpoints are designed for local developer viewing and lightweight integrations.

Report Redaction

The sanitizer redacts common secret shapes:

  • private key blocks
  • AWS access keys
  • GitHub and Slack tokens
  • JWTs
  • bearer/basic auth headers
  • URLs containing credentials
  • assignments such as password=, apiKey=, secret=, and accessToken=

The sanitizer is intentionally conservative and should be backed by your normal secret-scanning tooling in CI.

Dependency Security

Current direct dependencies were updated during the hardening pass:

  • com.github.javaparser:javaparser-core to 3.28.0
  • com.fasterxml.jackson:* to 2.21.3
  • info.picocli:picocli to 4.7.7

The Jackson update matters because GitHub Advisory Database entry GHSA-72hv-8253-57qq lists older jackson-core ranges as affected by a non-blocking parser DoS issue, with patched 2.x versions at 2.18.6 and 2.21.1. This project now uses 2.21.3.

Run dependency scanning before release:

mvn test
mvn org.owasp:dependency-check-maven:check

Also enable Dependabot/Renovate or your enterprise SCA scanner for the Maven project.

File-System Boundaries

By default, sourceIncludes entries outside the selected project root are skipped. This prevents a project-local config from accidentally scanning another local repository or sensitive directory.

Generated folders are ignored during Java scanning:

  • target
  • build
  • .git
  • .gradle
  • node_modules

Remaining Responsibilities

Analyze Flow is not a full security scanner. It does not replace SAST, DAST, dependency scanning, SBOM generation, secret scanning, or code review. It is a performance and architecture analyzer with safe report handling.

There aren't any published security advisories