Skip to content

Security: azimuttapp/inspector

Security

docs/security.md

Security

Azimutt Inspector is built with security in mind to avoid any significative database impact or data leak. The two main mechanisms for that are:

  • on-premise deployment with no external dependency (air-gapped)
  • read-only access to system tables only for managed databases

Main components and concerns

Deployment & Storage

  1. The application is deployed on-premise, allowing air-gapped environments (all workloads are running on your servers)
  2. It uses PostgreSQL or SQLite as only storage, defined with DATABASE_URL environment variable (all data is stored on your servers)
  3. Secrets (like monitored database connection or provider keys) are encrypted with AES-256-GCM using the provided key (APP_SECRET, supports rotation)
  4. Secrets can reference environment variables instead of their actual value, allowing to store no sensitive information at all
  5. Secrets can't be serialized automatically, preventing accidental log or api leak

Authentication / Authorization

  1. Authentication uses JWT tokens stored in user local storage with configurable expiration delay, signed using the provided key (AUTH_JWT_SECRET, supports rotation)
  2. Authentication is made with local users (stored in the Azimutt database) with passwords hashed with bcrypt with strength factor 12
  3. Authorization is made with configurable roles giving access to 25+ hierarchical permissions (config, monitoring, database, assistant... read/write)
  4. All API endpoints are protected by default and require a permission, unless explicitly stated (authentication, health check, assets...)
  5. There is an emergency user, defined using environment variables (AUTH_EMERGENCY_USER/AUTH_EMERGENCY_PASS) that bypasses authorizations (recommended to set it only when needed); any login with it is logged with warning level

Monitored database access

  1. Azimutt requires SQL connections to monitored databases with read-only access to system tables only (metadata/statistics, not your tables content)
  2. All monitored instances have a single connection pool with one connection for all queries (per Azimutt server, prevent too many connections)
  3. Supports SSL/TLS

AI

  1. Azimutt LLMs are configured with your credentials, either from a provider (OpenAI, Google...) or self-hosted (Ollama, LM Studio...)

Data retention

  1. All collectors, analyzers and notifiers have defined data retention

Tech stack

  1. Full TypeScript: NestJS (backend) and React (frontend)
  2. Security libraries: bcrypt (password hashing), jsonwebtoken (JWT) and native Node.js crypto module (AES-256-GCM encryption for secrets)
  3. The project uses a lockfile to control and verify dependency versions

There aren’t any published security advisories