Version
Supported
0.x (current)
✅ Yes
Reporting a Vulnerability If you discover a security vulnerability in this project, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilitiesSend an email to: [security contact email]
Include the following information:
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)
Acknowledgment : within 48 hoursInitial assessment : within 5 business daysFix timeline : depends on severity (critical: ASAP, high: 7 days, medium: 30 days)
All secrets are managed via environment variables (.env file)
The .env file is excluded from version control via .gitignore
Never commit real credentials to the repository
Use .env.example as a template with placeholder values
Required Environment Variables
Variable
Description
KEYCLOAK_DB_PASSWORDPostgreSQL password for Keycloak
APP_DB_PASSWORDPostgreSQL password for the application
KEYCLOAK_ADMIN_PASSWORDKeycloak admin console password
GRAFANA_ADMIN_PASSWORDGrafana admin password
KEYCLOAK_RESOURCE_CLIENT_IDOAuth2 client ID for token introspection
KEYCLOAK_RESOURCE_CLIENT_SECRETOAuth2 client secret for introspection
Authentication & Authorization
Authentication is handled by Keycloak (OAuth2 / OpenID Connect)
Token validation uses opaque token introspection (not JWT decoding)
Authorization is enforced via Spring Security @PreAuthorize annotations
Role-based access control (RBAC) with Keycloak realm roles
Rate limiting is enabled via Bucket4j with a custom servlet filter to prevent brute-force attacks
/api/auth/login: 5 requests per minute/api/clients: 20 requests per minute
Application container runs as a non-root user (app)
Multi-stage Docker build to minimize image size and attack surface
Base image: eclipse-temurin:25-jre-alpine
Dependencies are regularly updated
SonarCloud analysis is integrated into the CI pipeline