Security

Jigsaw delegates authentication to Keycloak, encrypts panel sessions, and isolates site workloads in Docker. The panel needs access to the Docker socket — treat the host accordingly.

Report a vulnerability

Do not file public issues for unfixed security bugs. Use GitHub private vulnerability reporting or email maintainers as described in SECURITY.md.

Authentication and sessions

• OIDC with PKCE via openid-client — the panel does not store user passwords
• The default Keycloak realm allows self-service registration; disable it in Keycloak if you only want admin-created accounts (Realm settings → Login → User registration)
• Session cookie: HTTP-only, SameSite=lax, secure in production
• Session lifetime: 7 days (configurable in application code)

Network isolation

• Per-site Docker networks (jigsaw_<slug>_net)
• Site databases not attached to the public edge network
• Traefik dashboard protected by OAuth2 Proxy + Keycloak forward-auth

Secrets

• install.sh generates strong random values with OpenSSL
• .env is written with mode 600
• Server-only code uses *.server.ts and is stripped from client bundles

Docker socket

The panel container mounts the Docker socket to orchestrate customer workloads. That is effectively privileged. Mitigations in code include labelling resources and scoping prune operations; for high-security deployments consider a socket proxy. See SECURITY.md for details.

← Home