Skip to content

The 27 Grafana security checks Black Cat runs

Black Cat SSPM evaluates 27 security policies against your Grafana configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highSSO Disabled

Enable SSO authentication in Grafana to replace password-based login

mediumBasic Auth Enabled With SSO

Disable basic authentication when SSO is already configured to eliminate redundant credential vectors

lowSingle SSO Provider

Configure a secondary SSO provider to ensure authentication redundancy

mediumExcessive Admins

Reduce the number of Grafana admin users by reassigning non-administrative users to Editor or Viewer roles

mediumDormant User

Deactivate or remove Grafana users who have been inactive for more than 90 days

highAdmin Without Recent Activity

Demote or remove admin accounts that have shown no activity in the last 30 days

highService Account Admin Role

Downgrade service accounts with Admin role to Editor or Viewer to enforce least privilege

highNon-Expiring Service Account Token

Set expiration dates on all service account tokens to limit credential lifetime

mediumDisabled Service Account With Tokens

Delete all tokens from disabled service accounts to prevent credential misuse

mediumExpired Service Account Token

Remove expired tokens from service accounts to maintain credential hygiene

mediumService Account Token Age Exceeds 180 Days

Rotate service account tokens older than 180 days to reduce credential exposure risk

lowFolder Without Custom ACL

Add a custom access control list to the folder to restrict access beyond organization defaults

configuration

highDirect Access Data Source

Switch the data source access mode from Direct (browser) to Server (proxy) to prevent credential exposure

mediumData Source Basic Auth

Replace basic authentication on the data source with a token or certificate-based method

highData Source TLS Skip Verify

Enable TLS certificate verification on the data source to prevent man-in-the-middle attacks

mediumData Source With Credentials

Disable the "With Credentials" option to prevent browser cookies from being forwarded to the data source

mediumNo Alert Rules Configured

Configure Grafana alert rules to monitor critical system and security conditions

mediumExternal Contact Point

Review and validate all external alert contact points to ensure notifications reach authorised destinations

highBroad Mute Timing

Narrow alert mute timings to specific maintenance windows to prevent alerts being silenced indefinitely

highUnsigned Plugin

Remove or replace unsigned plugins with signed alternatives to ensure supply-chain integrity

lowCommunity Plugin

Review installed community plugins and prefer Grafana-signed or core alternatives where available

mediumOutdated Plugin

Update all installed Grafana plugins to their latest available versions to receive security patches

mediumPaused Alert Rules

Review and re-enable paused alert rules to ensure continuous monitoring coverage

highAlert Rules Without Contact Points

Configure at least one contact point to ensure alert notifications are delivered

sharing

mediumOverly Permissive Dashboard

Restrict dashboard permissions to specific roles or teams rather than granting broad access

highPublic Dashboard

Disable public sharing on the dashboard to require authentication for access

mediumOverly Permissive Folder

Restrict folder permissions to specific roles or teams instead of broad organization-wide access

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial