Trust starts with the scanner
mipo is built for environments where every component must be auditable. The scanner is a stdlib-only Go binary, there is no auto-update channel, and nothing phones home.
Security properties
The scanner is a Go static binary using only the standard library — a tiny, auditable supply chain.
Scanners are deployed manually; there is no silent update channel to compromise.
mipo does not phone home; all data stays in your deployment.
Scanners authenticate with revocable API keys and can be bound to expected source IPs.
resource:action scopes with default roles; external IdP via generic OIDC with optional local fallback.
Day-0 setup creates a local owner that bypasses scope checks; everything after is least-privilege.
HTTPS at the edge with configurable ACME/Let’s Encrypt certificate issuance.
Database backups are encrypted; restore is an explicit, audited operation.
A global interceptor records every state change to an append-only, tamper-evident log.
What mipo does not do
- Not a goal No compliance guarantee — mipo collects evidence; auditors determine control satisfaction.
- Not a goal No auto-patching — mipo reports exposure, it does not remediate hosts.
- Not a goal No silent scanner updates — scanner upgrades are a deliberate, manual operator action.
mipo reports exposure and preserves evidence — it does not remediate hosts, patch software, or certify compliance.
Read the security model
A docs-style reference covers the supply chain, authentication, TLS, backups, and audit guarantees in detail.