Graphviz parses text and generates images. In automated pipelines, untrusted .dot input and old parser vulnerabilities are primary risks.
- Run Graphviz in isolated build containers.
- Avoid rendering untrusted DOT files on shared admin hosts.
- Set CPU and memory limits for rendering jobs.
¶ Dependency Maintenance
- Keep Graphviz packages up to date.
- Track security advisories for parser-related vulnerabilities.
- Rebuild CI images regularly.
¶ File and Output Controls
- Restrict input/output directories.
- Prevent writing to sensitive host paths.
- Validate output artifact destinations and permissions.
- Log renderer failures and crashes.
- Alert on repeated malformed-input failures.
- Keep rendering logs for incident analysis.