Skip to content

Application Security Architecture

Overview

The Archon Platform applies defence-in-depth to the software supply chain and to the public documentation surface. Two independent scanning layers catch container and dependency vulnerabilities. A two-layer sanitization pipeline protects internal information from leaking into the public-facing documentation site.

Supply Chain Scanning: Dual-Layer Model

Layer 1 -- Grype (CI Gate)

Grype is the primary container and SCA scanner. It runs as a mandatory CI pipeline stage on every container image build. A Grype scan failure blocks the pipeline; nothing ships with a known critical or high CVE unless explicitly acknowledged in a tracked work item.

Grype is the only permitted container/SCA gate tool. The decision to use Grype (and the rationale for not using Trivy at this time) is documented in APPSEC-0001.

Layer 2 -- Aikido (Continuous SAST and CSPM)

Aikido provides continuous static analysis, secrets detection, infrastructure-as-code scanning, and cloud security posture management. It operates outside the CI pipeline as a background continuous scanner, complementing Grype's per-build gate with persistent repository-level analysis.

Aikido augments rather than replaces Grype. Grype holds the hard CI gate; Aikido surfaces issues between builds and covers SAST, IaC, and dependency audit angles that Grype does not address. See APPSEC-0001 for the dual-scanner rationale.

Public Documentation Sanitization

The Problem

The Archon Platform documentation contains internal architecture detail -- network topology, node inventory, internal ADRs -- that should never appear on the public documentation site at peries.ca. The source repository is private, but the MkDocs build output is deployed to Cloudflare Pages and is publicly accessible.

Two-Layer DLP Pipeline

The CI pipeline applies two DLP layers before publishing:

Layer 1 -- sanitize.py: Copies docs/ to build/docs/, stripping or redacting content that matches internal-information patterns (RFC 1918 addresses, internal hostnames, excluded directories such as internal/ and RISK/). MkDocs builds from build/docs/, never from the source docs/ tree.

Layer 2 -- verify-sanitization.py: Scans the sanitized build/docs/ output for any remaining pattern matches. A match is a pipeline failure -- the build does not deploy.

The sanitization strategy, pattern coverage, and the rationale for excluding the RISK/ ADR class from the public build are documented in APPSEC-0002.

Layer 3 -- Future Direction

A third DLP layer (automated semantic review for policy-level information leakage) is tracked as a future improvement. The current two-layer approach provides adequate protection for the current information classification posture.

Key Properties

  • Grype blocks every container build on critical/high CVE
  • Aikido provides continuous background coverage across SAST, secrets, and IaC
  • No source docs are ever published directly -- always sanitized through build/docs/
  • Verify-sanitization step is a mandatory pre-deploy gate
  • Internal ADR classes (RISK) are structurally excluded, not just omitted from nav