The 33 DigitalOcean security checks Black Cat runs
Black Cat SSPM evaluates 33 security policies against your DigitalOcean configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Replace weak RSA SSH keys with Ed25519 or ECDSA keys
Enable OIDC SSO for the Kubernetes cluster
availability
Add additional nodes or node pools to the DOKS cluster for high availability
Configure a health check on the load balancer to detect and remove unhealthy backends
configuration
Verify the DigitalOcean account email address
Enable automated weekly backups for the Droplet
Enable IPv6 networking on the Droplet
Attach Droplets or tags to the firewall or delete unused firewall rules
Upgrade the managed database cluster to a supported major version
Enable automated daily backups for the managed database cluster
Upgrade the DOKS cluster to a current supported Kubernetes version
Enable automatic upgrades for the DOKS cluster to receive patch releases automatically
Enable surge upgrades on the DOKS cluster to allow zero-downtime node pool upgrades
Enable automatic garbage collection for the container registry to reclaim storage
Upgrade the container registry to a higher subscription tier for additional features
Enable high availability for the Kubernetes control plane to prevent single-point-of-failure outages
Integrate the Kubernetes cluster with the DigitalOcean container registry for secure image pulls
Configure a maintenance window so database patches are applied during a predictable low-traffic period
Add standby nodes to the database cluster for high availability and failover protection
Review powered-off Droplets and either restart or delete them to reduce stale resource risk
data leakage
Convert sensitive environment variables to encrypted App Platform secrets
encryption
Enforce SSL/TLS connections to the managed database cluster
Add an HTTPS forwarding rule with a TLS certificate to the load balancer
Update load balancer forwarding rules to use HTTPS as the backend target protocol
Enforce HTTPS-only access for the App Platform application
logging
Install the DigitalOcean monitoring agent on the Droplet
network security
Move the Droplet into a custom VPC for network isolation
Create a Cloud Firewall and attach it to the unprotected Droplet
Restrict firewall inbound rules to trusted IP ranges and required ports only
Restrict SSH (port 22) inbound access to specific trusted IP addresses
Restrict firewall outbound rules to required destinations and ports only
Add trusted source IP restrictions to the database cluster firewall rules
Create a custom VPC and migrate resources away from the default VPC