| Version | Supported | Security Fixes |
|---|---|---|
| v1.3.x | ✅ Yes | Active support |
| v1.2.x | Critical only | |
| < v1.2 | ❌ No | Please upgrade |
AegisGate Platform implements comprehensive security scanning:
| Tool | Purpose | Frequency |
|---|---|---|
| govulncheck | Go vulnerability database | Every push |
| gosec | Static security analysis | Every push |
| Trivy | Container & filesystem scan | Every push + weekly |
| TruffleHog | Secret detection | Every push |
| go vet | Standard Go analysis | Every push |
| staticcheck | Advanced static analysis | Every push |
| Status | Item |
|---|---|
| ✅ | 0 Known CVEs in production dependencies |
| ✅ | Fuzz Testing integrated for critical paths |
| ✅ | SBOM Generation (CycloneDX + SPDX) |
| ✅ | Dependency Vulnerability Scanning |
| ✅ | Secret Scanning (AWS keys, GitHub tokens, etc.) |
| ✅ | Authentication-by-Default (v1.3.6) |
| ✅ | Hard-Enforced Memory Limits (v1.3.6) |
| ✅ | MCP Registration Logging (v1.3.6) |
| ✅ | Tool Call Limits (v1.3.6) |
| ✅ | Risk-Based Authorization (v1.3.6) |
| ✅ | 90.8% Test Coverage (v1.3.6) |
Comprehensive threat analysis for all four security pillars:
| Pillar | Threats | Top Risk |
|---|---|---|
| HTTP API | 10 STRIDE threats | License tier bypass (CVSS 9.8) |
| MCP Protocol | 10 STRIDE threats | Session spoofing (CVSS 9.5) |
| A2A Agent | 10 STRIDE threats | Agent impersonation (CVSS 9.1) |
| AI Response | 11 STRIDE threats | PII disclosure (CVSS 9.1) |
| Severity | Count | Range |
|---|---|---|
| 🔴 Critical | 7 | 9.0–9.8 |
| 🟠 High | 11 | 7.0–8.9 |
| 🟡 Medium | 7 | 4.0–6.9 |
| Category | Techniques | Status |
|---|---|---|
| ATLAS-MCP | 4 | ✅ All mitigated |
| ATLAS-A2A | 10 | ✅ All mitigated |
| ATLAS-LLM | 8 | ✅ All mitigated |
| ATLAS-RAG | 3 | 🔜 v4.0 planning |
We take security seriously. If you discover a vulnerability:
- DO NOT open a public issue
- Email security@aegisgatesecurity.io with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional)
We will respond within 48 hours and work to resolve the issue within 90 days.
v1.3.6 — released April 2026
All critical OpenAI/X security concerns addressed:
| Feature | Status | Description |
|---|---|---|
| Authentication-by-Default | ✅ | All endpoints require auth unless REQUIRE_AUTH=false |
| MCP Registration Logging | ✅ | Client IP, server ID, timestamp logged for audit |
| Hard-Enforced Memory Limits | ✅ | Sessions terminated when exceeding quota |
| Tool Call Limits | ✅ | 20 tools/session enforced with proper error feedback |
| Risk-Based Authorization | ✅ | All tool calls checked against authorization matrix |
| Test Coverage | ✅ | 90.8% overall (93.9% RBAC, 96.2% ToolAuth, 88.3% MCP) |
- ✅ Non-root container execution
- ✅ Minimal attack surface (19.1MB image)
- ✅ Read-only filesystem support
- ✅ No external network dependencies
- ✅ TLS 1.3 by default
- ✅ OWASP LLM Top 10 protection
- ✅ MITRE ATLAS threat detection
- ✅ NIST AI RMF compliance frameworks
- ✅ GDPR data protection controls
Our security workflow runs:
# Jobs executed on every push
govulncheck: # Go vulnerability scan
gosec: # Security linter
trivy: # Container scan
trufflehog: # Secret detection
standard-tools: # go vet, staticcheck
sbom: # SBOM generationResults are available:
- GitHub Security Tab - SARIF uploads
- Artifacts - Download detailed reports
- GitHub Step Summary - Quick overview
We thank security researchers who responsibly disclose vulnerabilities.
- Security Issues: security@aegisgatesecurity.io
- General Support: support@aegisgatesecurity.io