Skip to main content
Early accessElevarq Analyzer is not yet generally available — this manual documents the current build.Request an evaluation →
Elevarq Analyzer docs · Data-boundary & safety model

Explanation

Data-boundary & safety model

Workbench is the commercial control surface you install in your own environment, so its safety story matters before you point it at anything. The design goal is a narrow, firm boundary: minimal attack surface, nothing read from your data that doesn't need to be, no calls home, and every secret encrypted at rest.

Workbench does not read your data

Reading your databases is Signals' job, with a read-only least-privilege role, and it gathers only the statistics PostgreSQL already exposes — never your table contents. Workbench itself is not a data client: it ingests findings and holds its own state. Its only direct contact with a target is an operator-initiated connection test that checks reachability — not a data read. Nothing in the pipeline writes back to your databases.

No outbound calls by default

By default Workbench makes no outbound network calls. The narrow exceptions are all local or inbound:

  • License activation and refresh verify the artefact locally against an embedded key ring — they do not phone home to Elevarq.
  • Analyzer imports are inbound — Workbench never initiates a call to the Analyzer.

If you enforce egress restrictions, the only outbound allowance Workbench needs is HTTPS to ghcr.io to pull the image. It runs air-gapped otherwise — which is why the offline activation flow exists.

Secrets at rest

Every stored database password and integration credential is encrypted at rest. The root of that encryption is the operator-supplied master key, which HKDF-derives the key that unwraps the workspace seed — the master key is read from the environment only and never written into the database it protects.

Because the master key is the root of trust, an intact data volume with the wrong or missing key is unrecoverable. Back it up outside the data volume — see Configuration and the upgrade guide.

Auditable, verifiable, minimal

  • Audit log — every operator-mutating action emits a structured event (operator id, object id, a closed event name) — never passwords, license bytes, or tokens.
  • Verifiable artefacts— the image is Cosign-signed and the license is signature-verified at activation against an embedded key ring. Optional signed analyzer-import envelopes give a non-repudiation chain for "who produced this data".
  • Minimal container — distroless, non-root (UID 65532), read-only root filesystem, all Linux capabilities dropped, no long-lived keys baked in.

Where your responsibility begins

Workbench's posture is narrow but firm; the rest is the operator's. Workbench listens on plain HTTP, so you terminate TLS at a reverse proxy in front of it. Host-OS hardening, the Docker daemon, the network perimeter, and securing the PostgreSQL targets themselves are all yours to own.

PreviousArchitecture & the pipelineNextLicensing & activation

Run Workbench

docker pull ghcr.io/elevarq/workbench:v0.1.0

Pin a digest in production — verify the image.

Request an evaluationSignals docs