kastelldev/kastell

v1.16.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

automation cli coolify devops digitalocean docker

+10 more

dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

crypto_tls

Summary

AI summary

AES-256-GCM token encryption at rest and enhanced Kastell fix CLI capabilities

Full changelog

Added

AES-256-GCM token encryption — tokens.json and notify-secrets.json encrypted at rest when OS keychain is unavailable. Per-installation random salt, cross-platform machine key derivation (Linux/macOS/Windows), transparent plaintext auto-migration
Fix rollback & history — kastell fix --rollback <id> restores from backup, kastell fix --history shows fix log
Fix prioritization — kastell fix --top N applies highest-impact fixes, kastell fix --target 80 fixes until score reaches target
Programmatic fix handlers — 4 dedicated handlers (sysctl, file-append, package-install, chmod/chown) replace shell redirect/pipe for SAFE tier fixes
Fix profiles — kastell fix --profile web-server|database|mail-server applies server-type-specific fix sets
Fix diff preview — kastell fix --diff shows per-fix before/after changes
Fix report — kastell fix --report generates markdown fix report with score change and compliance info
WAF audit deep checks — 5 new WAF pipeline checks (IP ACL, rate limiting, input sanitization, bot detection headers, data masking) expanding nginx category to 14 checks
Dependabot config — .github/dependabot.yml for automated GitHub Actions SHA updates
10 project-specific security audit custom checks (SSH injection, SAFE_MODE bypass, token leak, MCP validation, subprocess env, SSH host key, API sanitization, error disclosure, npm lifecycle)

Fixed

getServers() fail-closed — corrupt servers.json now throws instead of silently returning empty array
fileAppend handler shell injection — single-quote escape via shellEscape() on forward path (rollback already escaped)
Encryption key hardening — per-installation random salt replaces hardcoded "kastell-v1", persistent random UUID fallback replaces low-entropy hostname

Security

All 13 GitHub Actions references SHA-pinned across 5 workflow files (zero floating tags)
SECFIX-01 through SECFIX-09 addressed: token encryption, supply chain hardening, fail-closed config, 5 already-closed findings verified
Security audit: 29 findings (down from 39), 0 critical, 1 high (deferred to v2.0 by design)
/review skill added to release security gate

Changed

Test count: 5,522 → 9,611 (4,089 new tests including 3,623 mutation killers)
Test suites: 207 → 215
Test helpers: 4 → 5 factory files (encryption-factories.ts added)
Mutation score: 44.65% → 59.06% nominal / 78.6% effective (Dalga 1-3 complete)

Security Fixes

FileAppend handler now escapes single quotes via shellEscape() preventing shell injection
Encryption key hardening replaces hardcoded salt with per‑installation random salt and adds persistent UUID fallback

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →