Skip to content

The 33 DigitalOcean security checks Black Cat runs

Black Cat SSPM evaluates 33 security policies against your DigitalOcean configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highWeak SSH Key

Replace weak RSA SSH keys with Ed25519 or ECDSA keys

mediumKubernetes SSO Not Enabled

Enable OIDC SSO for the Kubernetes cluster

availability

mediumSingle Node Cluster

Add additional nodes or node pools to the DOKS cluster for high availability

mediumNo Health Check

Configure a health check on the load balancer to detect and remove unhealthy backends

configuration

mediumEmail Not Verified

Verify the DigitalOcean account email address

mediumBackups Disabled

Enable automated weekly backups for the Droplet

lowIPv6 Disabled

Enable IPv6 networking on the Droplet

lowNo Droplets Attached

Attach Droplets or tags to the firewall or delete unused firewall rules

mediumOutdated Version

Upgrade the managed database cluster to a supported major version

mediumNo Backups

Enable automated daily backups for the managed database cluster

mediumOutdated Kubernetes Version

Upgrade the DOKS cluster to a current supported Kubernetes version

mediumAuto Upgrade Disabled

Enable automatic upgrades for the DOKS cluster to receive patch releases automatically

lowSurge Upgrade Disabled

Enable surge upgrades on the DOKS cluster to allow zero-downtime node pool upgrades

lowNo Garbage Collection

Enable automatic garbage collection for the container registry to reclaim storage

infoBasic Tier

Upgrade the container registry to a higher subscription tier for additional features

highKubernetes HA Disabled

Enable high availability for the Kubernetes control plane to prevent single-point-of-failure outages

mediumKubernetes No Registry Integration

Integrate the Kubernetes cluster with the DigitalOcean container registry for secure image pulls

mediumDatabase No Maintenance Window

Configure a maintenance window so database patches are applied during a predictable low-traffic period

highDatabase Single Node

Add standby nodes to the database cluster for high availability and failover protection

lowDroplet Powered Off

Review powered-off Droplets and either restart or delete them to reduce stale resource risk

data leakage

highPlain Text Env Var

Convert sensitive environment variables to encrypted App Platform secrets

encryption

highSSL Not Enforced

Enforce SSL/TLS connections to the managed database cluster

highNo SSL Termination

Add an HTTPS forwarding rule with a TLS certificate to the load balancer

mediumInsecure Backend

Update load balancer forwarding rules to use HTTPS as the backend target protocol

mediumHTTP Allowed

Enforce HTTPS-only access for the App Platform application

logging

lowMonitoring Disabled

Install the DigitalOcean monitoring agent on the Droplet

network security

highNo VPC

Move the Droplet into a custom VPC for network isolation

criticalNo Firewall

Create a Cloud Firewall and attach it to the unprotected Droplet

highAllows All Inbound

Restrict firewall inbound rules to trusted IP ranges and required ports only

criticalSSH Open To All

Restrict SSH (port 22) inbound access to specific trusted IP addresses

mediumAllows All Outbound

Restrict firewall outbound rules to required destinations and ports only

criticalPublicly Accessible

Add trusted source IP restrictions to the database cluster firewall rules

lowDefault VPC Used

Create a custom VPC and migrate resources away from the default VPC

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial