Piwi Dashboard is a self-hosted application that can store sensitive material on your behalf — AI provider API keys, SCM access tokens, webhook secrets, user credentials, and the contents of your test artifacts. We take reports about anything that could expose that data seriously.
Please do not open a public issue for security problems.
Report vulnerabilities privately via GitHub Security Advisories ("Report a vulnerability" on the repository's Security tab). You'll get an acknowledgment as soon as the report is seen — normally within a few days — and we'll keep you informed as the fix progresses.
Please include, where possible:
- The version you tested (
0.x.y, or the/api/versionoutput) and how it was deployed (Docker, source). - Reproduction steps or a proof of concept.
- The impact you believe it has (what an attacker gains).
If you can't use GitHub's private reporting, open a regular issue that says only "security report — please reach out" without details, and a maintainer will contact you.
Reports we especially care about:
- Authentication or authorization bypass (roles, project-level permissions, API keys, stream tokens).
- Exposure of stored secrets (AI keys, SCM tokens, webhook secrets) or of other projects' data.
- Injection of any kind (SQL, XSS through stored test results/error messages/attachments, SSRF via configured URLs).
- Path traversal in file storage or the
/api/files/*routes.
Out of scope: reports that require an already-compromised host, denial of service by an authenticated reporter flooding its own instance, and issues in third-party dependencies without a demonstrated impact here (though heads-ups are welcome).
Piwi Dashboard is pre-1.0: fixes land on main and ship in the next release. Only the latest release is supported — please reproduce on the current version before reporting.
The deployment guide covers the essentials; the short version:
- Set
PIWI_SECRET_KEYso stored credentials are encrypted with your key, not the built-in development default. - Enable authentication (
PIWI_AUTH_ENABLED=true+PIWI_AUTH_SECRET) before exposing the dashboard beyond localhost. - Put the dashboard behind HTTPS (reverse proxy) and keep the container up to date.