Skip to content

[Security Audit] Security hardening for plugin-cloudquery #169

Description

@fdelbrayelle

Summary

Security audit of plugin-cloudquery against OWASP Top 10 (2025), CWE Top 25, OWASP ASVS Level 1, Kestra Plugin-Specific Threats (KPS), and Supply Chain Dependency Hygiene.

Audit date: 2026-06-30
Auditor: AI-assisted scan (kestra-plugin-security-auditing skill)

Findings Overview

CRITICAL (tracked as sub-issues)

None

HIGH (tracked as sub-issues)

  • Credential env map included in Lombok @tostring output — src/main/java/io/kestra/plugin/cloudquery/AbstractCloudQueryCommand.java:31

MEDIUM (no sub-issue — remediate during next sprint)

None

LOW (no sub-issue — address opportunistically)

None

Acceptance Criteria

  • All CRITICAL sub-issues resolved and merged
  • All HIGH sub-issues resolved and merged
  • MEDIUM/LOW findings triaged: accepted, deferred with rationale, or fixed
  • Follow-up scan scheduled within 90 days

Standards


View full audit report as Artifact

Metadata

Metadata

Assignees

Labels

area/pluginPlugin-related issue or feature requestkind/securitySecurity-related issue

Type

Fields

No fields configured for Epic.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions