Skip to content

Fix: Semgrep grpc-server-insecure-connection #5890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rahulkhinchi-wq wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix: Semgrep grpc-server-insecure-connection #5890

rahulkhinchi-wq wants to merge 2 commits into from

Conversation

@rahulkhinchi-wq
Copy link

@rahulkhinchi-wq rahulkhinchi-wq commented Nov 25, 2025

Summary

This pull request addresses the Semgrep rule violation grpc-server-insecure-connection, which identifies insecure gRPC server initialization without TLS credentials. Running a gRPC server without encryption exposes communication to interception, tampering, and man-in-the-middle attacks.

Change Details

Modified File

cmd/kat-server/services/grpc-auth-v2.go

Updates

  • Added import for: 
    "google.golang.org/grpc/credentials"

Replaced insecure gRPC server initialization: grpc.NewServer() with a secure TLS-enabled server:

creds, err := credentials.NewServerTLSFromFile(g.Cert, g.Key)
grpc.NewServer(grpc.Creds(creds))

Added error handling for TLS credential loading to ensure failures are surfaced properly.

Rationale

Semgrep flagged that the server was previously initialized without specifying TLS credentials, resulting in unencrypted network communication. Using grpc.Creds(credentials) ensures that all gRPC traffic is encrypted and authenticated using certificate-based TLS, significantly reducing the risk of message tampering or compromise.

Verification

Confirmed that TLS credentials (cert.pem, cert.key defined by g.Cert and g.Key) are now loaded correctly.
Semgrep rule warning is resolved.
The gRPC server now enforces encrypted connections.
The server continues to register the authorization service as expected.

root and others added 2 commits November 18, 2025 05:14
fix: grpc-server-insecure-connection-45
36560ef
@rahulkhinchi-wq
Merge pull request #1 from rahulkhinchi-wq/fix/semgrep-grpc-server-in…
70cb0d0 
…secure-connection-45-HJpme2LvKr

fix: semgrep-grpc-server-insecure-connection
@cocogitto-bot
Copy link

cocogitto-bot bot commented Nov 25, 2025

❌ Found 1 compliant commit and 1 non-compliant commits in 36560ef...70cb0d0.

Commit 70cb0d0 by @rahulkhinchi-wq is not conform to the conventional commit specification :

fix: semgrep-grpc-server-insecure-connection`

  • cause: 
    Missing commit type separator `:`

Caused by:
     --> 1:6
      |
    1 | Merge pull request #1 from rahulkhinchi-wq/fix/semgrep-grpc-server-insecure-connection-45-HJpme2LvKr
      |      ^---
      |
      = expected scope or type_separator

@dosubot dosubot bot added size:XS This PR changes 0-9 lines, ignoring generated files. go Pull requests that update Go code t:bug Something isn't working labels Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

go Pull requests that update Go code size:XS This PR changes 0-9 lines, ignoring generated files. t:bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rahulkhinchi-wq