Security model
mipo is designed for environments where every component must be auditable. This reference covers the scanner supply chain, the two authentication boundaries, access control, transport security, backups, and the audit guarantees.
Scanner supply chain
The scanner is a single statically-linked Go binary built entirely from the standard library — zero
third-party dependencies and no entries in go.mod. The whole source fits in one directory and
can be audited in a sitting. There is no auto-update channel and no telemetry: every binary on your network
was placed there deliberately, and upgrades are a manual operator action.
Releases are signed with Ed25519: the private key lives only in the builder's signing
environment — CI for mipo-built releases; organizations that build from source sign in their own build
process (never in the repo, never in a container) — and the public key (scanner.pub) is committed to the source
repository so hosts pin it from a channel the manager cannot touch. The install tooling verifies fail-closed
when a signature and pinned key are present, and falls back to SHA-256 verification when they are not. A
compromised manager can serve a tampered binary with a matching hash — it cannot forge the signature.
Organizations that build from source sign with their own key and become their own signing authority.
Two authentication boundaries
Users authenticate to the manager with session cookies; scanners authenticate to ingest with revocable API keys. Scanner keys can be bound to expected source IPs (address, CIDR, or ASN) and the ingest API rejects and logs connections from unauthorized IPs. Keys are shown once at provisioning — only a hash is stored.
Access control
RBAC is enforced at the API middleware layer using resource:action scopes — the GUI only
reflects what the API permits. A Day-0 owner account bootstraps the system and bypasses scope checks; every
user after that is least-privilege. External identity is supported via generic OIDC with an optional local
fallback.
Transport, backups, and audit
All external traffic is TLS-terminated at the edge, with self-signed certificates for day-one encryption and optional ACME / Let's Encrypt issuance. Database backups are encrypted at rest and restore is an explicit, audited operation. A global interceptor records every state change to an append-only, tamper-evident audit log with actor, timestamp, and field-level diffs.
Security properties
| Property | Detail |
|---|---|
| Stdlib-only scanner | The scanner is a Go static binary using only the standard library — a tiny, auditable supply chain. |
| No auto-update | Scanners are deployed manually; there is no silent update channel to compromise. |
| No telemetry | mipo does not phone home; all data stays in your deployment. |
| API keys + IP binding | Scanners authenticate with revocable API keys and can be bound to expected source IPs. |
| RBAC + OIDC/SSO | resource:action scopes with default roles; external IdP via generic OIDC with optional local fallback. |
| Owner bootstrap | Day-0 setup creates a local owner that bypasses scope checks; everything after is least-privilege. |
| TLS everywhere | HTTPS at the edge with configurable ACME/Let’s Encrypt certificate issuance. |
| Encrypted backups | Database backups are encrypted; restore is an explicit, audited operation. |
| Audit logs | A global interceptor records every state change to an append-only, tamper-evident log. |
What mipo does not do
- No compliance guarantee — mipo collects evidence; auditors determine control satisfaction.
- No auto-patching — mipo reports exposure, it does not remediate hosts.
- No silent scanner updates — scanner upgrades are a deliberate, manual operator action.