Security Backlog

This document shares current curated security backlog with features and capabilities that are defined in Security Jira board. Please refer Bahmni Security Posture document to get a holistic perspective.

To update JIRA details below, please type “/JIRA“ under Documentation/JIRA column & search your Jira no, click Insert.
This will show the current status on Jira board.

	Categories	Capabilities / Features	Documentation/JIRA	Bahmni Lite v 1.0 Release

	Categories	Capabilities / Features	Documentation/JIRA	Bahmni Lite v 1.0 Release
1	Trivy Secret & Vulnerability Scanning	Analyze false positives or perform quick fixes on Critical vulnerabilities (First Pass)	https://bahmni.atlassian.net/browse/BAH-2416	DONE
2	Trivy Secret & Vulnerability Scanning	Perform Vulnerability check in CI (build) using Trivy and fail for Critical issues. Add secret scanning using Trivy in all Bahmni repositories	https://bahmni.atlassian.net/browse/BAH-2193	DONE
3	Machine / Node hardening	OpenSCAP for nodes / machine monitoring	https://bahmni.atlassian.net/browse/BAH-2142	DONE
4	Machine / Node hardening	Apply daily critical security updates automatically (e.g EC2)	https://bahmni.atlassian.net/browse/BAH-2412 https://bahmni.atlassian.net/browse/BAH-2382	DEFERRED
5	Firewall	OpenSource / Free option for Bot Management and Traffic Control for Bahmni running on Docker / K8s	https://bahmni.atlassian.net/browse/BAH-2413	DEFERRED
6	Firewall	Document AWS WAF and Bot Management recommendation for Bahmni Lite	https://bahmni.atlassian.net/browse/BAH-2414	DEFERRED
7	Security Quality Gates	Explore OWASP Zap for Bahmni Security Testing	https://bahmni.atlassian.net/browse/BAH-1961	DEFERRED
8	Security Quality Gates	Automate Static Code Analysis using DeepSource / SonarQube → Documentation	https://bahmni.atlassian.net/browse/BAH-1958 https://bahmni.atlassian.net/browse/BAH-1959	DEFERRED
9	Data Protection	Protect patient documents behind Login (only for older RPM based installation since docker and k8s no longer have this issue)	https://bahmni.atlassian.net/browse/BAH-2417	Not APPLICABLE
10	Data Protection	Encrypt documents at rest (S3/FileSystem/Connected Storage/etc) e.g. Patient Documents	https://bahmni.atlassian.net/browse/BAH-2418	DEFERRED
11	Identity Management	Mitigate default credentials risk Ensure Change password on first login e.g. superman Remove default creds from code e.g. .env, values.yaml etc	https://bahmni.atlassian.net/browse/BAH-1960	DEFERRED
12	Cloud/Infra	Document recommendations on General Cloud hygiene		PARTIAL DONE
13	Cloud/Infra	Document Approach on Reporting security incident (Slack, DL etc)		DONE
14	Source Code Fixes	Fix hip service critical vulnerabilities	https://bahmni.atlassian.net/browse/BAH-2550	ABDM DONE
15		Fix hiu backend critical vulnerabilities	https://bahmni.atlassian.net/browse/BAH-2551	ABDM DONE
16		Fix hiu-ui critical vulnerabilities	https://bahmni.atlassian.net/browse/BAH-2552	ABDM DONE
17		Fix critical vulnerabilities in ABHA verification repo.	https://bahmni.atlassian.net/browse/BAH-2553	ABDM DONE
18		Fix critical vulnerabilities in Hiu-db code	https://bahmni.atlassian.net/browse/BAH-2554	ABDM DONE
19		Fix Critical Vulnerabilities in Appointments, Bahmni-lab, Bahmni-web, implementer-interface and patient-Documents images/jars	https://bahmni.atlassian.net/browse/BAH-2557	required DONE
20		Fix Critical Vulnerabilities in the crater-atomfeed repo	https://bahmni.atlassian.net/browse/BAH-2786	required DONE