This is a configuration template, not a versioned application.
Security fixes are applied to the main branch only.
Please do not open a public GitHub issue for security vulnerabilities.
Report privately via:
- GitHub: use the Private Vulnerability Reporting feature on this repo
- Email: security@twn.systems
We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 14 days for confirmed issues.
| Secret | Where it lives | Where it never appears |
|---|---|---|
| SSH private key | CI masked secret ANSIBLE_SSH_KEY |
repo, logs, artifacts |
| GitLab token | CI masked secret VYOS_GITLAB_TOKEN |
repo, logs |
| Token in commit-archive URL | Injected at play-time via lookup('env', ...) |
stored in any file |
The commit_archive_url in group_vars/vyos.yml uses Ansible's environment
lookup — the token is resolved in memory at play-time and is never written to
disk or version control.
The dry_run stage saves a --check --diff log as an artifact (14-day TTL).
If verbosity is raised (-v, -vv) in a forked pipeline, expanded config
lines containing the commit-archive URL (with token) could appear in the log.
Mitigations:
- The
Enforce commit-archivetask usesno_log: true - Artifacts are scoped to the project — they are not public even on a public repo
- Rotate
VYOS_GITLAB_TOKENif a pipeline artifact is accidentally exposed
ANSIBLE_HOST_KEY_CHECKING is set to false in the CI pipeline. This is
intentional for ephemeral runners where known_hosts is not pre-populated.
In production deployments where the runner is persistent, you should:
- Pre-populate
~/.ssh/known_hostswith VyOS node fingerprints - Remove the
ANSIBLE_HOST_KEY_CHECKING: "false"variable override
This playbook communicates with VyOS nodes over SSH only. No plaintext protocols are used. Ensure your runner has network access to managed nodes via a management VLAN or VPN — not the public internet.