DAPR Security Scanner

Proactively scan DAPR configurations for security vulnerabilities and best practice violations.

When to Activate

This skill should be invoked:

• When component YAML files are created or modified
• When the user asks about security concerns
• Before deployment to production
• During code review of DAPR configurations

Security Checks

1. Plain-Text Secrets Detection

Scan for hardcoded credentials in component files:

# BAD - Plain text secret
- name: connectionString
  value: "Server=myserver;Password=secret123"

# GOOD - Using secret reference
- name: connectionString
  secretKeyRef:
    name: db-secrets
    key: connectionString

Check for:

• password, secret, key, token, credential in value fields
• Connection strings with embedded passwords
• API keys in plain text
• Base64-encoded secrets (still exposed)

2. Missing Secret Store References

Verify sensitive fields use secretKeyRef:

# Required for these field patterns:
- *password*
- *secret*
- *key* (except keyName for crypto)
- *token*
- *credential*
- connectionString
- accessKey
- apiKey

3. Component Scope Validation

Check that sensitive components have scopes defined:

# Components requiring scopes:
- secretstores.* - MUST have scopes
- state.* with sensitive data - SHOULD have scopes
- pubsub.* - SHOULD have scopes
- bindings.* with write access - SHOULD have scopes

4. Managed Identity Recommendations

Flag connection string usage when managed identity is available:

# Azure components should prefer:
- azureClientId (for managed identity)
# Over:
- connectionString
- accountKey

5. ACL Configuration

Verify access control is properly configured:

• Check for accessControl in Configuration resources
• Verify defaultAction: deny is set
• Ensure service-specific policies exist

6. mTLS Configuration

Check mutual TLS settings:

spec:
  mtls:
    enabled: true  # Should be true for production

7. Resiliency Policy Validation

Verify resiliency policies exist for production:

• Check for Resiliency resource
• Verify circuit breakers for external services
• Check retry policies have reasonable limits

Scanning Commands

Scan Single File

python scripts/security-scan.py path/to/component.yaml

Scan All Components

python scripts/security-scan.py components/

Generate Report

python scripts/security-scan.py --report security-report.json

Severity Levels

Severity	Description	Examples
CRITICAL	Immediate security risk	Plain-text passwords, exposed API keys
HIGH	Significant vulnerability	Missing scopes on secret stores, no mTLS
MEDIUM	Security improvement needed	No resiliency policies, missing ACLs
LOW	Best practice recommendation	Using connection strings vs managed identity

Report Format

{
  "scan_time": "2024-01-01T12:00:00Z",
  "files_scanned": 5,
  "issues": [
    {
      "severity": "CRITICAL",
      "file": "components/statestore.yaml",
      "line": 15,
      "message": "Plain-text password detected in 'redisPassword'",
      "recommendation": "Use secretKeyRef instead of value"
    }
  ],
  "summary": {
    "critical": 1,
    "high": 0,
    "medium": 2,
    "low": 3
  }
}

Auto-Fix Capabilities

For common issues, suggest automatic fixes:

Convert Plain-Text to SecretKeyRef

# Before
- name: password
  value: "mysecret"

# After (suggested)
- name: password
  secretKeyRef:
    name: app-secrets
    key: password

Add Missing Scopes

# Before
spec:
  type: secretstores.azure.keyvault
  ...

# After (suggested)
spec:
  type: secretstores.azure.keyvault
  ...
scopes:
  - app-id-1

Integration with CI/CD

The security scanner can be integrated into CI/CD pipelines:

# GitHub Actions example
- name: DAPR Security Scan
  run: python scripts/security-scan.py components/ --fail-on critical

Exit codes:

• 0: No issues or only LOW severity
• 1: MEDIUM or higher issues found
• 2: CRITICAL issues found