Security
TigerGraph provides a comprehensive set of security features, including authentication, access control, and encryption to secure your data and communication.
Operational compliance
TigerGraph Server meets the following security compliance standards as certified by third-party audits:
Vulnerability scanning
TigerGraph leverages best-of-breed tools to periodically and proactively scan source code, application runtime, infrastructure to identify security vulnerabilities:
-
Dynamic Application Security Testing (DAST)
-
Static Application Security Testing (SAST)
-
Software Composition Analysis (SCA)
-
Penetration Testing
-
Operating System (OS) Level Vulnerability Scanning
-
Network Vulnerability Scanning
PGP key
TigerGraph Server download packages are signed with our PGP key. This ensures the authenticity and integrity of the download package.
-
Key ID: 413D1F12
-
Fingerprint:E20D 2B61 FB38 57D4 3B8E B321 67BD 323E 413D 1F12
You can also find our key on https://pgp.mit.edu.
UDF file scanning
Not available in TigerGraph 3.6 LTS. Available in TigerGraph 3.9+ |
TigerGraph users can upload user-defined function (UDF) files to the server and run them as part of a query or loading job. In order to prevent security issues with code execution, TigerGraph Server disables this ability by default and requires it to be enabled manually by an administrator.
In addition, the UDF files are scanned to make sure they comply with the file policy. The scanning process, by default, consists of three parts.
The file scanning policy is controlled by a gadmin
parameter, GSQL.UDF.Policy.Enable
, which defaults to true
. For more information, see the Configuration Parameters page.
Disabled macros with replacement
Macros with replacement are not allowed, for example #define TABLE_SIZE 100
.
However, macros without replacement can still be used, such as #define EXPRFUNCTIONS_HPP
.
File header allowlist
Only the headers present in the allowlist can be included in UDF files. UDF files with different headers will not be accepted. The list is case-sensitive.
[
"stdlib.h", "string", "tuple",
"vector", "list", "deque", "arrays", "forward_list",
"queue", "priority_queue", "stack",
"set", "multiset", "map", "multimap",
"unordered_set", "unordered_multiset", "unordered_map", "unordered_multimap",
"iterator",
"sstream",
"algorithm", "math.h"
]
This is customizable with the gadmin
command GSQL.UDF.Policy.HeaderAllowlist
. ExprUtil.hpp
and tg_ExprUtil.hpp
are always allowed, and do not need to be declared in the allowlist.
Blocklist
TigerGraph also has a non-modifiable blocklist that prevents certain C++ features from being used. For security reasons, this list is not publicly available. Contact support@tigergraph.com for more details about the blocklist policy.