The 27 Grafana security checks Black Cat runs
Black Cat SSPM evaluates 27 security policies against your Grafana configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable SSO authentication in Grafana to replace password-based login
Disable basic authentication when SSO is already configured to eliminate redundant credential vectors
Configure a secondary SSO provider to ensure authentication redundancy
Reduce the number of Grafana admin users by reassigning non-administrative users to Editor or Viewer roles
Deactivate or remove Grafana users who have been inactive for more than 90 days
Demote or remove admin accounts that have shown no activity in the last 30 days
Downgrade service accounts with Admin role to Editor or Viewer to enforce least privilege
Set expiration dates on all service account tokens to limit credential lifetime
Delete all tokens from disabled service accounts to prevent credential misuse
Remove expired tokens from service accounts to maintain credential hygiene
Rotate service account tokens older than 180 days to reduce credential exposure risk
Add a custom access control list to the folder to restrict access beyond organization defaults
configuration
Switch the data source access mode from Direct (browser) to Server (proxy) to prevent credential exposure
Replace basic authentication on the data source with a token or certificate-based method
Enable TLS certificate verification on the data source to prevent man-in-the-middle attacks
Disable the "With Credentials" option to prevent browser cookies from being forwarded to the data source
Configure Grafana alert rules to monitor critical system and security conditions
Review and validate all external alert contact points to ensure notifications reach authorised destinations
Narrow alert mute timings to specific maintenance windows to prevent alerts being silenced indefinitely
Remove or replace unsigned plugins with signed alternatives to ensure supply-chain integrity
Review installed community plugins and prefer Grafana-signed or core alternatives where available
Update all installed Grafana plugins to their latest available versions to receive security patches
Review and re-enable paused alert rules to ensure continuous monitoring coverage
Configure at least one contact point to ensure alert notifications are delivered
sharing
Restrict dashboard permissions to specific roles or teams rather than granting broad access
Disable public sharing on the dashboard to require authentication for access
Restrict folder permissions to specific roles or teams instead of broad organization-wide access