{"id":22685248,"url":"https://github.com/nais/device","last_synced_at":"2026-06-01T13:00:44.065Z","repository":{"id":37965893,"uuid":"246228992","full_name":"nais/device","owner":"nais","description":"naisdevice is a application suite that enables NAV developers to connect to internal resources in a secure and friendly manner.","archived":false,"fork":false,"pushed_at":"2026-05-20T13:15:54.000Z","size":15800,"stargazers_count":17,"open_issues_count":10,"forks_count":6,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-05-20T17:57:08.077Z","etag":null,"topics":["go","tray-application","wireguard"],"latest_commit_sha":null,"homepage":"https://doc.nais.io/device/install","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nais.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-03-10T06:54:39.000Z","updated_at":"2026-05-20T13:12:00.000Z","dependencies_parsed_at":"2024-01-04T09:24:28.378Z","dependency_job_id":"33c23e63-252f-4cad-865b-e5f39929c697","html_url":"https://github.com/nais/device","commit_stats":null,"previous_names":[],"tags_count":564,"template":false,"template_full_name":null,"purl":"pkg:github/nais/device","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nais%2Fdevice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nais%2Fdevice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nais%2Fdevice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nais%2Fdevice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nais","download_url":"https://codeload.github.com/nais/device/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nais%2Fdevice/sbom","scorecard":{"id":571732,"data":{"date":"2025-08-11","repo":{"name":"github.com/nais/device","commit":"08bd8b27659123ea9551c85c86f95133219189c4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.5,"checks":[{"name":"Maintained","score":8,"reason":"10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 1/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:31","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/controlplane.yml:71","Info: jobLevel 'packages' permission set to 'read': .github/workflows/controlplane.yml:73","Info: jobLevel 'contents' permission set to 'read': .github/workflows/controlplane.yml:132","Info: jobLevel 'packages' permission set to 'read': .github/workflows/controlplane.yml:134","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/frontends.yml:168","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ppa.yml:14","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/controlplane.yml:1","Warn: no topLevel permission defined: .github/workflows/frontends.yml:1","Warn: no topLevel permission defined: .github/workflows/homebrew.yml:1","Warn: no topLevel permission defined: .github/workflows/ppa.yml:1","Warn: no topLevel permission defined: .github/workflows/scoop.yml:1","Warn: no topLevel permission defined: .github/workflows/stale.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":6,"reason":"binaries present in source code","details":["Warn: binary detected: packaging/windows/nsis/plugins/AccessControl.dll:1","Warn: binary detected: packaging/windows/nsis/plugins/SimpleSC.dll:1","Warn: binary detected: packaging/windows/nsis/plugins/nsProcess.dll:1","Warn: binary detected: packaging/windows/wireguard-amd64-0.5.3.msi:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/build.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/controlplane.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/controlplane.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/controlplane.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:181: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/frontends.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/frontends.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontends.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/frontends.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/homebrew.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/homebrew.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/homebrew.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/homebrew.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/homebrew.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/homebrew.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ppa.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/ppa.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ppa.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/ppa.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ppa.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/ppa.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scoop.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/scoop.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scoop.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/scoop.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scoop.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/scoop.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/nais/device/stale.yml/master?enable=pin","Warn: containerImage not pinned by hash: cmd/auth-server/Dockerfile:1","Warn: containerImage not pinned by hash: cmd/auth-server/Dockerfile:13: pin your Docker image by updating alpine:3.15 to alpine:3.15@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864","Warn: containerImage not pinned by hash: cmd/enroller/Dockerfile:1","Warn: containerImage not pinned by hash: cmd/enroller/Dockerfile:13: pin your Docker image by updating alpine:3.15 to alpine:3.15@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864","Info:   0 out of  32 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of  20 third-party GitHubAction dependencies pinned","Info:   0 out of   4 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 2025-05-19-132548 not signed: https://api.github.com/repos/nais/device/releases/219485994","Warn: release artifact 2024-12-17-134944 not signed: https://api.github.com/repos/nais/device/releases/191156015","Warn: release artifact 2024-10-18-101220 not signed: https://api.github.com/repos/nais/device/releases/180616453","Warn: release artifact 2024-10-18-093734 not signed: https://api.github.com/repos/nais/device/releases/180610565","Warn: release artifact 2024-10-18-073258 not signed: https://api.github.com/repos/nais/device/releases/180591681","Warn: release artifact 2025-05-19-132548 does not have provenance: https://api.github.com/repos/nais/device/releases/219485994","Warn: release artifact 2024-12-17-134944 does not have provenance: https://api.github.com/repos/nais/device/releases/191156015","Warn: release artifact 2024-10-18-101220 does not have provenance: https://api.github.com/repos/nais/device/releases/180616453","Warn: release artifact 2024-10-18-093734 does not have provenance: https://api.github.com/repos/nais/device/releases/180610565","Warn: release artifact 2024-10-18-073258 does not have provenance: https://api.github.com/repos/nais/device/releases/180591681"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/controlplane.yml:66"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3787 / GHSA-fv92-fjc5-jj9h"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T16:31:47.810Z","repository_id":37965893,"created_at":"2025-08-20T16:31:47.810Z","updated_at":"2025-08-20T16:31:47.810Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33775864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","tray-application","wireguard"],"created_at":"2024-12-09T22:13:50.997Z","updated_at":"2026-06-01T13:00:44.031Z","avatar_url":"https://github.com/nais.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Naisdevice\n\nnaisdevice is a mechanism enabling NAVs developers to connect to internal resources in a secure and friendly manner.\n\n## Contributing\n\n### Linux requirements\n\n- build-essential\n- ruby\n- ruby-dev rubygems\n- imagemagick\n- fpm (ruby gem)\n\n### Deploying client changes\n\nExecuting `mise run release-frontend` is required for deploy of new naisdevice client to be released and made available for download/install/update.\n\n## Concept\n\nEach resource is _protected_ by a gateway, and the developer is only granted access to the gateway if all of the following requirements are met:\n\n- Has a valid account\n- Has accepted naisdevice terms and conditions (from within the app)\n- Device is [healthy](#what-is-a-healthy-device)\n- Is member of the AAD access group for the gateway (e.g. to connect to team A's DB (via gateway), you must be member of team A's AAD-group)\n\n### Key attributes\n\n- minimal attack surface\n- instantly reacting to relevant security events\n- improved auditlogs: who connected when and to what\n- moving away from traditional device management enables building a strong security culture through educating our users on client security instead of automatically configuring their computers\n\n### Components\n\n#### Apiserver\n\nThe `apiserver` component serves as the gRPC API server, responsible for handling various configurations and managing communication with other agents. Its primary functionalities include:\n\n- Serving the gRPC API.\n- Distributing configurations to the following agents:\n  - [device-agent](#device-agent)\n  - [gateway-agent](#gateway-agent)\n  - [prometheus-agent](#prometheus-agent)\n- Retrieving device health status from the `nais/kolide-event-handler`.\n\n### Run API server locally\n\n```Shell\n# Create a sqlite database file with a mock device\ngo run ./hack/local-device.go\n# Start apiserver\ngo run ./cmd/apiserver\n\n## Run device agent with access to your local apiserver\ngo run ./cmd/naisdevice-agent --local-apiserver\n```\n\n## Gateway-agent\n\nThe `gateway-agent` runs on virtual machines (VMs) and interacts with the `apiserver` to receive and apply configurations. Key features of the `gateway-agent` include:\n\n- Streaming configurations from the `apiserver`.\n- Dynamic setup of:\n  - WireGuard for communication from devices.\n  - iptables for forwarding traffic.\n\n## Auth-server\n\nThe `auth-server` operates in a cloud run environment and plays a crucial role in user authentication. Its functionalities include:\n\n- Authenticating users.\n- Issuing tokens to devices for secure communication.\n\n## Enroller\n\nThe `enroller` is deployed on Cloud Run and is responsible for managing the enrollment process for both gateways and devices.\n\n- Handling the enrollment of gateways and devices securely.\n\n## Device-helper\n\nThe `device-helper` serves as the gRPC API for the `device-agent` and performs essential setup tasks for devices. Key functionalities include:\n\n- Providing a gRPC API for the `device-agent`.\n- Reading device serial information.\n- Configuring network interfaces, routes, and WireGuard for secure communication.\n\n## Device-agent\n\nThe `device-agent` is a crucial component responsible for managing device configurations and facilitating communication with the `apiserver`. Its main features include:\n\n- Streaming configurations from the `apiserver`.\n- Delegating configuration tasks to the `device-helper` via its gRPC API.\n- Serving status updates through its gRPC API to the CLI/systray.\n- Executing the authentication flow to obtain user tokens.\n\n## Systray\n\nThe `systray` component acts as a graphical user interface (GUI) for the `agent`, utilizing its gRPC API. It provides a convenient way for users to interact with and monitor the agent's status.\n\n## Controlplane-cli\n\nThe `controlplane-cli` serves as an administrative command-line interface (CLI) interacting with the `apiserver` through its gRPC API. This CLI is designed for administrative tasks and configurations.\n\n## Prometheus-agent\n\nThe `prometheus-agent` component connects to all gateways over WireGuard and configures Prometheus (deployed on the same VM) to scrape relevant metrics.\n\n- Establishing connections to gateways using WireGuard.\n- Configuring Prometheus to scrape metrics from connected gateways.\n\n## FAQ\n\n### How to install\n\nSee https://doc.nais.io/operate/naisdevice/how-to/install/\n\n## Stuff we use\n\n[Kolide](https://www.kolide.com/)\n\n[WireGuard](https://www.wireguard.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnais%2Fdevice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnais%2Fdevice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnais%2Fdevice/lists"}