Grafana security related questions


My name is Lucian and I am SRE Observability Engineer at Mambu GmbH.

We are working on a custom solution based on Grafana(datasource Prometheus & Victoriametrics), and have some questions from security perspective as following:

  1. How is the Grafana design performed ? Are you considering security requirements in architecture and design phase of the product and new features ?

  2. Are you performing code reviews ? If yes, security checks are part of it ?

  3. How dependencies are managed?

3.1 Are you scanning for vulnerable dependencies ?

3.2 How are dependencies reviewed before added to the product, and how vulnerable or non-maintained dependencies are handled ?

  1. How the source code is checked for vulnerabilities (E.g. Static code analysis, penetration tests …) ?

  2. How the build process is secured ?

Thank You .


Lucian Iordache
SRE Observability Engineer