Skip to content

Security: Workday/synthetic-data-generator

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it using GitHub's private vulnerability reporting. Go to the Security tab of this repository and click Report a vulnerability.

Please include:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Note: This is a community project, not a commercially supported product. Security reports are handled by project maintainers on a best-effort basis.

Security Model

SDG is designed so that a standard deployment holds no long-lived secrets:

  • The app runs as its own Databricks service principal; Databricks Apps injects its OAuth credentials into the container at runtime — they are never stored in code or config.
  • Lakebase (Postgres) passwords are short-lived OAuth tokens minted on demand and never persisted or logged.
  • Users reach the app only through the workspace's authenticated proxy; the forwarded user identity is used solely as an audit label, never as a credential.
  • What the app can read and write in Unity Catalog is bounded entirely by the grants you give its service principal.

Best Practices for Deployments

  • Never commit .env files, tokens, or workspace-specific identifiers to version control
  • Grant the app's service principal the minimum Unity Catalog privileges it needs — its catalog dropdowns expose exactly what it can see
  • Remember that retained columns contain real data: synthetic columns are safe by construction, but review retain/mask/synthesize choices against your data-handling policies before sharing exports
  • Keep Flask debug mode off in any shared deployment (it is off by default; FLASK_DEBUG=1 is for local development only)
  • Restrict who can access the app via the app's permission settings in your workspace
  • Keep dependencies current — pip list --outdated / npm audit periodically

There aren't any published security advisories