Skip to content

Security Model

This page describes the controls that exist today in SecureObs private beta.

Authentication

Dashboard

Dashboard authentication uses Microsoft Entra ID:

  • the SPA uses MSAL with PKCE;
  • the backend validates JWT bearer tokens with Microsoft.Identity.Web;
  • both personal Microsoft accounts and work or school accounts are supported through the common authority endpoint;
  • the SPA does not use a client secret.

CI Pipelines

CI pipelines authenticate with an API key.

API keys are:

  • generated in the dashboard;
  • shown once to the creator;
  • stored only as SHA-256 hashes;
  • revocable;
  • optionally expiring;
  • tenant-scoped or project-scoped.

A project-scoped key cannot ingest findings for a different project.

Authorization

Every protected API endpoint checks tenant membership before doing work. Core tenant-scoped tables are also protected with PostgreSQL FORCE row-level security against the restricted runtime database role.

Tenant membership roles:

Role Capabilities
Owner Manage tenant, members, settings, scanners, build gate
Admin Manage members, scanners, build gate
Member View and triage findings

The role model is intentionally coarse during private beta.

Tenant Isolation

Every tenant-scoped row carries a TenantId. The application layer filters by tenant and checks membership. PostgreSQL row-level security backs the core tables so cross-tenant rows remain invisible to the runtime database role even if an application query were to miss a filter.

RLS currently covers the core finding/project/audit tables, not every table. See known limitations.

Secret Handling

SecureObs does not store:

  • raw API keys;
  • user passwords;
  • Stripe payment instruments;
  • full repository contents from normal CI scans;
  • raw Terraform plan JSON from plan mode;
  • cloud credentials for Terraform execution.

API key headers are excluded from application telemetry.

Transport And Headers

Production traffic uses HTTPS. The API sets HSTS in production, validates CORS origins at startup, and refuses unsafe wildcard credentialed CORS outside development.

Audit Trails

SecureObs records:

  • suppression and status-change audit entries;
  • finding access audit entries;
  • Stripe webhook event IDs for idempotency.

Audit writes are designed not to break the read path if logging fails.

Responsible Disclosure

Report sensitive security issues to security@secureobs.com.