Skip to main content

Security recommendation and information

Directory structure#

Regarding the user used to install the application, here is the directory structure after the installation:

  • /home/USER/path/to/the/app/: root directory for the application
  • /home/USER/path/to/the/app/backup: backup directory
  • /home/USER/path/to/the/app/opslog : log directory for operation from the management cli
  • /home/USER/path/to/the/app/download: temporary directory used to download the application (and updates) before deployment
  • /home/USER/path/to/the/app/images: unencrypted image file of the application
  • /etc/gitguardian: configuration of the application

TLS certificate#

Because the application will display sensitive information (secrets, your source code, etc), only HTTPS access is allowed.

We recommend that you use a valid certificate (in relation with the FQDN chosen, ex: dashboard.gitguardian.mycorp.local).

A TLS certificate is required to start the installation.

By default, we use a strong cipher suite with only TLS 1.2 and TLS 1.3. Modern browsers will not have any issues with this. In case of an issue, please, contact our support.

Here the default protocols and ciphers enabled:

  • Protocols: TLS 1.2 / TLS 1.3
  • Ciphers:
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384

Drawback with self signed certificate#

If you use a self signed certificate with the application, you need to take care of SSL validation with GitLab or GitHub web hooks. By default SSL verification is enabled and you need to disable it to get GitLab or GitHub integrations to work.

Security recommendations#

Because the database will contain sensible information (your source code, leaks, etc), we highly recommend that you encrypted the file system.

Also, restrict access to the host used to run the application to people who really need access (ex: people who manage the host and the application deployment).