Security Best Practices
This section outlines security best practices implemented in the Balena Prometheus exporter.
1. API Token Security:
The BALENA_TOKEN environment variable is used to authenticate with the Balena API. This token should be stored securely and never exposed in the code or directly within the Dockerfile. Instead, it should be passed as an environment variable at runtime:
$ docker run -d \
--name balena-exporter \
-p 8000:8000 \
-e BALENA_TOKEN=YOUR_BALENA_TOKEN \
balena-exporter
Source:
2. Preventing Code Injection Vulnerabilities:
The exporter does not directly process user input from the Balena API, reducing the risk of code injection vulnerabilities. However, it’s crucial to keep dependencies updated and ensure all libraries used are secure.
Source:
3. Sensitive Data Handling:
The exporter retrieves device online status from the Balena API and doesn’t store any sensitive information. It’s crucial to ensure the Balena API credentials are kept secure, as they grant access to device data.
Source:
4. Secure Exporter Deployment:
The Dockerfile includes steps to ensure a secure image build and deployment process. The USER directive sets the container user to nobody, limiting the potential impact of vulnerabilities.
Source:
5. Unit Testing:
The codebase includes unit tests that help to validate the core functionality and ensure the absence of security-related issues.
Source:
Note: This outline provides a general overview of security best practices applied. It is recommended to stay informed about security vulnerabilities and adopt best practices to ensure secure development.
## Top-Level Directory Explanations
<a class='local-link directory-link' data-ref="tests/" href="#tests/">tests/</a> - This directory contains all the unit and integration tests for the project. It includes the `__init__.py` file which makes it a package, and specific test files like `test_exporter.py`.
