From 561b52b5ba0f2c0353954367af0c9dc6360f1c78 Mon Sep 17 00:00:00 2001
From: "Remi GASCOU (Podalirius)"
 <79218792+p0dalirius@users.noreply.github.com>
Date: Thu, 21 May 2026 10:22:45 +0200
Subject: [PATCH] Fix world-readable output file permissions exposing private
 key material (#3)

Tighten the output file mode from 0644 to 0600 so the exported JSON,
which contains sensitive key credential material (RSA private exponents,
ECC private scalars, key hashes, etc.), is not readable by other local
users on the host running the collector.
---
 main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.go b/main.go
index e79cfdc..fabc21d 100755
--- a/main.go
+++ b/main.go
@@ -129,7 +129,7 @@ func main() {
 			logger.Warn(fmt.Sprintf("Error exporting graph to file: %s", err))
 			return
 		}
-		err = os.WriteFile(outputFile, []byte(jsonData), 0644)
+		err = os.WriteFile(outputFile, []byte(jsonData), 0600)
 		if err != nil {
 			logger.Warn(fmt.Sprintf("Error exporting graph to file: %s", err))
 			return