--- issue: 108 title: "Scanner: unauthenticated startup when SCANNER_API_KEY unset" severity: medium domain: Scanner labels: [security, scanner, configuration] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Scanner: unauthenticated startup when SCANNER_API_KEY unset **Severity:** medium **Domain:** Scanner **Labels:** security, scanner, configuration ## Description `scanner/config.go:111` logs a warning when `SCANNER_API_KEY` is empty but allows the server to start and accept unauthenticated requests. An operator mistake or CI misconfiguration can deploy a scanner that accepts any intent without an API key. ## Options 1. Fail fast in non-dev when `SCANNER_API_KEY` is empty. 2. Allow empty key only when bound to localhost; refuse otherwise. 3. Keep warning but add a required-in-prod env flag. ## Recommendation Refuse to start (or restrict to loopback) when no API key is set outside local dev. ## Affected Files - `scanner/config.go:111` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-60