Scanning workflows on KNIME Hub

aymens · April 4, 2025, 12:59am

There should be an option to search a workflow for a particular value or insecure storage of secrets

aymens · April 4, 2025, 2:01am

For now, I have created a workflow which allows you to scan your hub for insecure storage of secrets whether stored as plaintext or cyphertext. SecretScanner2025 – KNIME Community Hub

LukasS · April 9, 2025, 3:09pm

Hi @aymens,

Thanks for the inspiration! Indeed, this is a project we are currently working on. As discussed here, this issue may be disected into two parts:

Find non-compliant workflows are already existing on your Hub. Your approach works great already, just keep in mind that workflows can have different versions and, strictly speaking, each version needs to be checked. You can find an example workflow that fetches all versions of all workflows here.
Find out if a newly uploaded or modified workflow is non-compliant and perform action on that. We are working on a workflow that allows you to create a trigger deployment that does these checks directly on upload of a workflow to detect this early. Let me know if you are interested in details!

I gather you have a KNIME Business Hub available—may I ask what your intended direct action is when you find a non-compliant workflow? Deleting these instances, notifying the uploader/creator/hub admin, …?

Kind regards,
Lukas

aymens · April 12, 2025, 12:16am

Good point Lukas! That was something I certainly didn’t consider. I will look into your example to learn more. I was making the assumption that they will be using the latest version only and old versions will be retained for record keeping only. In such a scenario will you advise that I ask the user to delete previous versions or fix them as well which would amount to changing history.
Certainly interested as it eliminates the need for any scanning and makes the admin job easier.

I am the Hub Admin in this instance and we have 50 licensed users. I notify the user to fix the issue. Since we transitioned from Server to Hub there are many instances where the workflow was not updated to the new way of doing things. Our goal is to nudge those people to fix their workflows since the transition is now complete.

LukasS · April 15, 2025, 11:59am

Thanks for clarifying, @aymens! Please feel free to contact me via lukas.siedentop@knime.com and I’ll share our work in progress on the trigger deployment (for other interested readers: I’ll share updates here once we have something to publish to a wider audience).