# Security Audit Report

**Date**: 2026-05-07
**Scope**: GPS-denied onboard runtime and replay infrastructure
**Verdict**: PASS_WITH_WARNINGS

## Summary

| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Medium | 2 |
| Low | 1 |

No Critical or High issues were found. The audit can proceed through the autodev gate, with hardening work recommended before production deployment.

## OWASP Top 10 Assessment

| Category | Status | Findings |
|----------|--------|----------|
| A01: Broken Access Control | PASS | — |
| A02: Cryptographic Failures | PASS_WITH_WARNINGS | Deployment key handling remains a release concern |
| A03: Injection | PASS | — |
| A04: Insecure Design | PASS_WITH_WARNINGS | S1 |
| A05: Security Misconfiguration | PASS_WITH_WARNINGS | S2 / I1 |
| A06: Vulnerable and Outdated Components | PASS | — |
| A07: Identification and Authentication Failures | NOT_APPLICABLE | No auth/session surface in current package |
| A08: Software and Data Integrity Failures | PASS_WITH_WARNINGS | I2 |
| A09: Security Logging and Monitoring Failures | PASS | — |
| A10: Server-Side Request Forgery | NOT_APPLICABLE | No URL-fetching runtime surface |

## Findings

| # | Severity | Category | Location | Title |
|---|----------|----------|----------|-------|
| 1 | Medium | Resource / Input Validation | `src/satellite_service/types.py:67` | VPR index JSON is read fully without size limits |
| 2 | Medium | Security Misconfiguration | `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5` | Default DB credentials and exposed port need dev/prod separation |
| 3 | Low | CI/CD Hardening | `.github/workflows/ci.yml` | CI lacks dependency audit / secret scan / SAST gates |

## Finding Details

### F1: VPR index JSON is read fully without size limits

**Severity**: Medium
**Category**: Resource / Input Validation
**Location**: `src/satellite_service/types.py:67`

`LocalVprIndexPackage.from_json_file()` reads an entire local descriptor package into memory before validation. Descriptor packages are part of the local cache trust boundary and can become large.

**Impact**: A malformed or unexpectedly large package could exhaust memory or stall startup/readiness on Jetson.

**Remediation**: Add a maximum file-size check before reading, cap descriptor record count and descriptor length, and require callers to load only manifest-validated package paths.

### F2: Default DB credentials and exposed port need dev/prod separation

**Severity**: Medium
**Category**: Security Misconfiguration
**Location**: `docker-compose.yml:7`, `docker-compose.yml:9`, `.env.example:5`

The default compose file uses `POSTGRES_PASSWORD=gpsd`, publishes Postgres on `5432:5432`, and the example database URL embeds `gpsd:gpsd`.

**Impact**: Safe enough as a local fixture convention, but risky if reused in staging, Jetson, or field deployment.

**Remediation**: Move credentials to ignored local `.env` files, document the default compose as development-only, bind Postgres to loopback for local runs, and require secret-manager sourced credentials for production/Jetson deploys.

### F3: CI lacks dependency audit / secret scan / SAST gates

**Severity**: Low
**Category**: CI/CD Hardening
**Location**: `.github/workflows/ci.yml`

CI runs format, lint, unit tests, and compose config validation, but not dependency audit, secret scanning, or SAST.

**Impact**: Vulnerable dependencies or accidentally committed secrets may be caught only during manual audits.

**Remediation**: Add `pip-audit`, a secret scanner such as Gitleaks/TruffleHog, and a lightweight SAST pass such as Semgrep or Ruff security rules.

## Dependency Vulnerabilities

| Package | CVE / Advisory | Severity | Fix Version |
|---------|----------------|----------|-------------|
| None | — | — | — |

## Positive Controls

- `pip-audit` reported no known vulnerabilities for the declared Python dependency set.
- No SQL construction, shell execution, dynamic code execution, Pickle/marshal use, weak crypto, hardcoded production secrets, or HTTP URL-fetching runtime surface was found in source.
- Runtime and replay Dockerfiles run as non-root `gpsd`.
- Cache manifest/hash validation, no in-flight satellite-provider access, MAVLink spoofing/source rejection, and FDR-visible security events are represented in code, docs, and tests.

## Recommendations

### Immediate

- None required for Critical/High severity because no Critical/High findings were found.

### Short-Term

- Add size/count limits to VPR descriptor package loading.
- Split local-development database credentials from production/Jetson deploy configuration and restrict local Postgres host binding.

### Long-Term

- Add dependency audit, secret scanning, and SAST to CI.
- Re-run security audit after the deploy step creates final production deployment artifacts.