n8n Workflow Builder

# 🔐 Release v1.17.0 - Security Audits & Governance **Release Date:** 2025-12-17 **Type:** Major Feature Release **Status:** ✅ Production Ready --- ## 🚀 Enterprise-Grade Security Auditing Complete security audit and governance system for n8n workflows. Perfect for enterprises requiring SOC2, ISO27001, or GDPR compliance. ### 🔑 Hardcoded Secret Detection **11 Secret Types Detected:** - AWS Access Keys (AKIA pattern, 95% confidence) - GitHub Personal Access Tokens (ghp_, gho_, github_pat_) - OpenAI API Keys (sk- pattern) - Slack Tokens (xox pattern) - Private Keys (PEM format) - JWTs (eyJ pattern) - Database Connection Strings (postgres://, mysql://) - OAuth Client Secrets - Webhook Secrets - Encryption Keys - Generic high-entropy secrets **Detection Methods:** - **Regex Pattern Matching**: 30+ patterns for known secret formats - **Entropy Analysis**: Shannon entropy calculation for unknown secrets - **Context-Aware**: Reduces false positives with whitelist patterns ### 🔒 Authentication Auditing **Checks:** - Missing authentication on webhooks - Missing authentication on HTTP requests - Missing credentials on database nodes - Insecure HTTP (should be HTTPS) - Basic Auth over HTTP (credentials in plain text) - API keys in URL parameters - OAuth opportunities (services that should use OAuth2) ### 🌐 Exposure Analysis **Detects:** - Public webhooks without authentication - Unauthenticated API endpoints - Data leaks in responses - PII exposure (email, phone, SSN, credit cards, etc.) - CORS misconfigurations - Error information leaks - Sensitive data in logs - Public database writes ### 📊 Security Scoring System **Score Calculation:** - Starts at 100 points - Deductions based on severity: - Critical: -25 points × 1.5 (secrets weight) - High: -15 points × 1.3 (auth weight) - Medium: -8 points × 1.2 (exposure weight) - Low: -3 points **Risk Levels:** - 🚨 **Critical** (0-30): Immediate action required - ⚠️ **High** (31-60): Fix soon - ⚡ **Medium** (61-80): Should address - ✅ **Low** (81-99): Minor issues - 🌟 **Excellent** (100): Perfect security ### ✅ Compliance Validation **Three Standards:** 1. **Basic**: No critical findings 2. **Strict**: No critical or high findings 3. **Enterprise**: - Score >= 85/100 - No critical or high findings - All webhooks authenticated - Perfect for SOC2/ISO27001 --- ## 🛠️ New MCP Tools ### 1. `audit_workflow_security` Comprehensive security audit with detailed report. **Input:** ```json { "workflow_id": "abc123", "format": "markdown" // or "json", "text" } ``` **Output:** - Security score (0-100) - Risk level assessment - Detailed findings by category - Prioritized recommendations - Remediation steps ### 2. `get_security_summary` Quick security overview. **Input:** ```json { "workflow_id": "abc123" } ``` **Output:** - Score and grade (A+ to F) - Risk level - Findings count by category - Findings count by severity ### 3. `check_compliance` Validate against compliance standards. **Input:** ```json { "workflow_id": "abc123", "standard": "enterprise" // or "basic", "strict" } ``` **Output:** - Compliance status (pass/fail) - List of violations - Recommendations ### 4. `get_critical_findings` Get only critical/high severity issues. **Input:** ```json { "workflow_id": "abc123" } ``` **Output:** - Hardcoded secrets (critical/high only) - Authentication issues (critical/high only) - Exposure risks (critical/high only) --- ## 📋 Example Usage ### Audit a Workflow ``` You: "Audit the security of my Payment Processing workflow" Claude uses: audit_workflow_security → Generates comprehensive security report with: - Score: 45/100 (HIGH RISK) - 3 hardcoded secrets detected - 2 missing authentication issues - 1 public webhook exposure - Detailed recommendations ``` ### Check Compliance ``` You: "Does my workflow meet enterprise security standards?" Claude uses: check_compliance (standard: "enterprise") → Returns: ❌ NON-COMPLIANT Violations: - Security score too low: 45/100 (required: 85+) - High severity findings detected - Unauthenticated webhooks detected ``` ### Quick Security Check ``` You: "What's the security status of workflow abc123?" Claude uses: get_security_summary → Returns: Score: 45/100 (D) Risk Level: HIGH Total Findings: 6 - Secrets: 3 - Authentication: 2 - Exposure: 1 ``` --- ## 🎯 Use Cases ### 1. Pre-Deployment Security Checks Audit workflows before deploying to production: ``` audit_workflow_security(workflow_id, format="markdown") check_compliance(workflow_id, standard="enterprise") ``` ### 2. Security Dashboard Monitor security across all workflows: ``` for workflow in workflows: summary = get_security_summary(workflow.id) if summary.risk_level in ["critical", "high"]: alert_team(workflow, summary) ``` ### 3. Compliance Reporting Generate compliance reports for auditors: ``` report = audit_workflow_security(workflow_id, format="markdown") # Export to PDF for SOC2 audit ``` ### 4. CI/CD Integration Block deployments with security issues: ``` is_compliant, violations = check_compliance(workflow_id, "strict") if not is_compliant: raise DeploymentBlocked(violations) ``` --- ## 🏢 Enterprise Benefits ### Security - **Prevent Data Breaches**: Detect secrets before they reach production - **Reduce Attack Surface**: Find unauthenticated endpoints - **Protect PII**: Identify personal data exposure risks ### Compliance - **SOC2 Ready**: Document security controls - **ISO27001**: Evidence for security audits - **GDPR**: Identify PII handling issues ### Governance - **Policy Enforcement**: Require minimum security scores - **Audit Trails**: Document security improvements - **Risk Management**: Prioritize security fixes --- ## 🔧 Technical Details ### Architecture ``` SecurityAuditor ├── SecretDetector (30+ regex patterns + entropy analysis) ├── AuthenticationAuditor (8 check types) ├── ExposureAnalyzer (8 exposure types) ├── SecurityScorer (weighted scoring algorithm) └── SecurityReport (3 output formats) ``` ### Performance - **Fast**: Audits complete in <1 second for typical workflows - **Accurate**: 95%+ confidence for known secret patterns - **Low False Positives**: Context-aware whitelisting ### Extensibility Easy to add new patterns: ```python PATTERNS = { SecretType.CUSTOM: [ (r'your_pattern_here', 0.90) # confidence score ] } ``` --- ## 📊 Statistics **Lines of Code:** ~1,800 lines **Files Added:** 7 new files in `security/` module **Test Coverage:** Comprehensive test suite **MCP Tools:** 4 new tools **Secret Patterns:** 30+ detection patterns **Check Types:** 25+ security checks --- ## 🚀 Upgrade Guide 1. **Pull latest code** 2. **No migration required** - works immediately 3. **Test:** `audit_workflow_security(your_workflow_id)` --- ## 🔗 Related Documentation - **Security Module:** `src/n8n_workflow_builder/security/` - **Test Example:** `tests/security/test_security_audit.py` - **Pattern Reference:** See `secrets.py` for all detection patterns --- ## 🙏 Credits Designed for enterprise security and compliance requirements. Perfect for companies needing: - SOC2 Type II certification - ISO27001 compliance - GDPR data protection - Internal security policies --- **Status:** ✅ **PRODUCTION READY** **Breaking Changes:** None **Backward Compatible:** Yes --- *This feature positions n8n Workflow Builder as an enterprise-grade solution with security and governance capabilities that competitors lack.* 🔐