BunnyDeploymentSecurity Model

Security Model

This document outlines the security considerations, infrastructure requirements, and trust model for deploying and running Bunny within a network.

Information about Cohort Discovery can be found on the HDR Gateway.

Bunny is compliant with the governance and security model outlined in the Cohort Discovery Implementation Guide.

Container Security

Image Build Process

  • Bunny images are built using GitHub Actions, using a repeatable and transparent build process.
  • Each dependency from the build process is pinned to a git hash.
  • This automation helps ensure that each build is consistent and can be traced back to its source code and build instructions.

Container Registry

  • Every Bunny image is published to the GitHub container registry.
  • Images are pinned to specific workflow commit hashes, which prevents unauthorized modifications and ensures that only verified builds are used.
  • This pinning mechanism helps maintain security by ensuring that the exact version of the code that was reviewed and tested is the one being deployed.

Code Security & Review

  • All code contributions must pass a set of unit, integration, and end to end tests.
  • Contributions are reviewed by the University of Nottingham Centre for Health Informatics developer team, before they are approved and merged into the codebase.
  • Code scanning using GitHub’s CodeQL analysis is enabled on the repository and contributions to automatically identify potential security vulnerabilities and coding issues.
  • Bunny has a security policy for vulnerability reporting.

Dependency & Supply Chain Security

  • The base image and all dependencies are reviewed for security updates.
  • GitHub’s dependency-review-action is used to detect vulnerable dependencies before they are introduced into the codebase.
  • Bunny uses Dependabot to automatically scan and update dependencies, ensuring security vulnerabilities are identified and patched promptly.
  • Updates are published with release notes on the Bunny releases page.
  • A Software Bill of Materials (SBOM) for Bunny is published providing visibility into dependencies and supply chain security.

Infrastructure Security

  • Bunny is deployed in a secure environment by a data partner.
  • Bunny requires access to the data partner’s OMOP CDM database.
  • Bunny makes only outgoing connections to RQUEST / Relay API.
  • No incoming requests are made into the data partner’s secure environment.
  • Outbound access is restricted to the RQUEST / Relay API, no other access is required.

Authentication & Access Control

  • Credentials (database access, RQUEST / Relay authentication) are managed through environment variables.
  • Bunny connections to RQUEST / Relay are secured using the ‘Basic’ HTTP Authentication Scheme, consistent with the API specification.

Data Security & Compliance

  • Bunny executes only validated queries that comply with the RQUEST / Relay specification.
  • Bunny cannot execute arbitrary SQL or code.
  • Low-number suppression and rounding can be configured to custom values to comply with data protection policies.
  • Bunny can be configured to log externally the API requests, payloads, queries, SQL executed, results, and errors for audit purposes.
  • Bunny does not persist data to a database.
Deploy BunnySecurity Guidelines