Fix high-severity security findings from project audit#651
Conversation
Address three HIGH findings from the 2026-06-25 security audit: 1. VPC Flow Logs: Add aws_flow_log with KMS-encrypted CloudWatch log group to the VPC module, gated behind enable_vpc_flow_logs flag (FedRAMP AU-12 network audit trail). 2. Kubernetes NetworkPolicies: Add ingress/egress NetworkPolicy templates to maestro-server, platform-api, hyperfleet-api, and hyperfleet-sentinel charts. Gated behind networkPolicy.enabled (defaults to false for safe rollout). 3. CI Containerfile: Add USER 65534 so CI tasks no longer run as root. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 53 minutes and 52 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (13)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
Addresses three HIGH severity findings from a full-project security audit (2026-06-25):
aws_flow_logwith KMS-encrypted CloudWatch log group to the VPC module, gated behindenable_vpc_flow_logsvariable (FedRAMP AU-12 network audit trail)NetworkPolicytemplates tomaestro-server,platform-api,hyperfleet-api, andhyperfleet-sentinelcharts, gated behindnetworkPolicy.enabled(defaults tofalsefor safe rollout)USER 65534toci/Containerfileso CI tasks no longer run as root, matching the pattern inplatform-image/DockerfileAll changes are gated behind feature flags that default to off, so this PR is safe to merge without affecting existing deployments. Production environments should enable the flags explicitly.
Test plan
make terraform-fmtpasses (verified locally)terraform validateonterraform/modules/vpc/withenable_vpc_flow_logs = truenetworkPolicy.enabled: trueand verify pod connectivityUSER 65534(OpenShift random-UID + chmod 777 cache dirs should handle this)enable_vpc_flow_logs = truein a test region and confirm flow logs appear in CloudWatch🤖 Generated with Claude Code