Skip to content

Security hardening: credential scoping, S3 encryption, scanner logging#788

Merged
Schmarvinius merged 9 commits intomainfrom
security-hardening
Apr 14, 2026
Merged

Security hardening: credential scoping, S3 encryption, scanner logging#788
Schmarvinius merged 9 commits intomainfrom
security-hardening

Conversation

@Schmarvinius
Copy link
Copy Markdown
Collaborator

@Schmarvinius Schmarvinius commented Apr 10, 2026
edited by hyperspace-insights bot
Loading

Security Hardening: Credential Scoping, S3 Encryption, and Scanner Logging

Bug Fix / Security

🔒 This PR applies several security and observability improvements: cloud storage credentials are now scoped to only the jobs that require them, S3 uploads are enforced with server-side encryption, and malware scanner error logs now include entity context for better diagnostics.

Changes

  • .github/workflows/pipeline.yml: Moved cloud storage credentials (AWS, Azure, GCP) from the global env block to the integration-tests job-level env block, ensuring secrets are only exposed to jobs that actually need them.

  • AWSClient.java: Added ServerSideEncryption.AES256 to all S3 PutObjectRequest calls, enforcing server-side encryption at rest for uploaded attachments.

  • AWSClientTest.java: Added a dedicated test testUploadContentSetsServerSideEncryption to verify that every upload request includes the AES256 server-side encryption setting.

  • DefaultAttachmentMalwareScanner.java: Updated scanDocument to accept the CdsEntity parameter, enabling error log messages to include the entity's qualified name alongside the content ID when a scan failure occurs — improving traceability of scan errors.

  • 🔄 Regenerate and Update Summary

📬 Subscribe to the Hyperspace PR Bot DL to get the latest announcements and pilot features!

PR Bot Information

Version: 1.20.11 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

  • Output Template: Default Template
  • Summary Prompt: Default Prompt
  • Event Trigger: issue_comment.created
  • LLM: anthropic--claude-4.6-sonnet
  • File Content Strategy: Full file content
  • Correlation ID: 942ed330-34f3-11f1-90c9-773dc2f9de58

@hyperspace-insights
Copy link
Copy Markdown
Contributor

hyperspace-insights bot commented Apr 10, 2026

Summary

The following content is AI-generated and provides a summary of the pull request:

Security Hardening: Credential Scoping, S3 Encryption, and Scanner Logging

Bug Fix / Security

🔒 This PR applies several security hardening improvements: scoping cloud storage credentials to only the jobs that need them, enabling server-side encryption for S3 uploads, and enriching malware scanner error logs with entity context.

Changes

  • .github/workflows/pipeline.yml: Moved AWS, Azure, and GCP cloud storage credentials from the global env block (available to all workflow jobs) to the integration-tests job-level env block, limiting secret exposure to only the job that requires them.

  • AWSClient.java: Added ServerSideEncryption.AES256 to the PutObjectRequest builder to enable SSE-S3 server-side encryption for all S3 object uploads as a defense-in-depth measure.

  • DefaultAttachmentMalwareScanner.java: Updated the scanDocument method to accept a CdsEntity parameter, enabling error log messages to include the qualified entity name (e.g., "Error while scanning attachment {} in entity {}.") for improved observability and debugging.

  • AWSClientTest.java: Added a new test testUploadContentSetsServerSideEncryption (via argThat matcher) to verify that PutObjectRequest always carries ServerSideEncryption.AES256. Also imported assertEquals and ServerSideEncryption for test assertions.

  • 🔄 Regenerate and Update Summary
  • ✏️ Insert as PR Description (deletes this comment)
  • 🗑️ Delete comment
PR Bot Information

Version: 1.20.11 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

  • File Content Strategy: Full file content
  • LLM: anthropic--claude-4.6-sonnet
  • Correlation ID: 7f1c62a0-34f3-11f1-9a92-7d9361aac18d
  • Output Template: Default Template
  • Summary Prompt: Default Prompt
  • Event Trigger: pull_request.opened

💌 Have ideas or want to contribute? Create an issue and share your thoughts with us!
📑 Check out the documentation for more information.
📬 Subscribe to the Hyperspace PR Bot DL to get the latest announcements and pilot features!

Made with ❤️ by Hyperspace.

hyperspace-insights[bot]
hyperspace-insights bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hyperspace-insights hyperspace-insights bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR is well-structured with meaningful security improvements. The only issues found are a minor unused import and test code duplication in AWSClientTest.java — the core logic changes across all three files are correct.

PR Bot Information

Version: 1.20.11 | 📖 Documentation | 🚨 Create Incident | 💬 Feedback

  • File Content Strategy: Full file content
  • LLM: anthropic--claude-4.6-sonnet
  • Correlation ID: 7f1c62a0-34f3-11f1-9a92-7d9361aac18d
  • Event Trigger: pull_request.opened

@hyperspace-insights hyperspace-insights bot deleted a comment from Schmarvinius Apr 10, 2026
@Schmarvinius Schmarvinius requested a review from a team April 10, 2026 15:48
@Schmarvinius Schmarvinius requested a review from lisajulia April 13, 2026 10:01
@Schmarvinius Schmarvinius requested review from lisajulia and removed request for lisajulia April 13, 2026 19:46
@Schmarvinius Schmarvinius merged commit e4444e1 into main Apr 14, 2026
3 checks passed
@Schmarvinius Schmarvinius deleted the security-hardening branch April 14, 2026 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hyperspace-insights hyperspace-insights[bot] hyperspace-insights[bot] left review comments

@lisajulia lisajulia lisajulia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Schmarvinius @lisajulia