| sidebar_position | 1 | |||||
|---|---|---|---|---|---|---|
| title | Security Documentation | |||||
| description | Index of security documentation including threat model and deployment security guide | |||||
| author | Microsoft Robotics-AI Team | |||||
| ms.date | 2026-02-22 | |||||
| ms.topic | overview | |||||
| keywords |
|
Security documentation for the Physical AI Toolchain covering threat analysis, deployment hardening, and vulnerability reporting.
| Document | Description |
|---|---|
| Threat Model | STRIDE-based threat analysis and remediation roadmap |
| Deployment Security Guide | Security configuration inventory and deployment responsibilities |
| Release Verification | Verify release artifact provenance and SBOM attestations |
| Workflow Permissions | GitHub Actions permission scopes and OSSF Scorecard exceptions |
| SECURITY.md | Vulnerability disclosure and reporting process |
This reference architecture deploys AKS clusters with GPU node pools, Azure Machine Learning, and NVIDIA OSMO for robotics training and inference. All components are infrastructure-as-code artifacts; no hosted service or user-facing application exists.
The threat model documents:
- 19 threats across STRIDE categories
- Security controls mapped to each threat
- Trust boundary analysis across IaC, cluster, and ML pipeline layers
- Prioritized remediation roadmap
The security guide documents:
- Default security configurations shipped with the architecture
- Deployment team responsibilities before, during, and after provisioning
- Security considerations checklist with Azure documentation references
Automated security and freshness checks that run on GitHub Actions schedules and publish findings to the Security tab.
| Script | Workflow | Purpose |
|---|---|---|
scripts/security/Test-BinaryFreshness.ps1 |
check-binary-integrity.yml |
Verify pinned binary SHA-256 hashes and detect Helm chart version drift (SARIF output) |
scripts/security/Test-DependencyPinning.ps1 |
dependency-pinning-scan.yml |
Validate that GitHub Actions, Docker images, and package manifests pin exact versions |
scripts/security/Test-SHAStaleness.ps1 |
sha-staleness-check.yml |
Detect SHA pins that have drifted behind upstream release tags |
scripts/update-chart-hashes.sh |
Run manually after chart bumps | Refresh pinned Helm chart versions and SHA-256 hashes in infrastructure/setup/defaults.conf |
Each PowerShell script supports a -SarifFile parameter for CI integration and a -ConfigPreview switch for local dry-run inspection. Run scripts/update-chart-hashes.sh locally whenever a pinned Helm chart version is updated so defaults.conf stays in sync.
- Contributing security review: Contributor security checklist for pull requests
- Azure security documentation: Authoritative security guidance for Azure services
- AKS baseline architecture: Production-ready AKS security patterns
๐ค Crafted with precision by โจCopilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.