Maintained and updated by Chris Bunting
Enterprise-hardened fork of MinIO object storage with security hardening, expanded S3 API compatibility, and a roadmap toward full enterprise feature parity.
Full upstream documentation: See README-MINIO.md for original MinIO deployment, configuration, and usage guides.
This repository maintains the complete MinIO codebase with the following objectives:
- Security-first hardening — Removing baked-in defaults, enforcing crypto best practices, and eliminating information leakage in binaries
- AWS S3 API gap closure — Implementing S3 APIs that were stubbed or rejected upstream (CORS, Bucket Logging, Object Ownership, etc.)
- Enterprise feature development — Building toward feature parity with AWS S3, Ceph RGW, and other enterprise storage platforms
- Container lifecycle excellence — HEALTHCHECK, proper signal forwarding, multi-arch builds with SBOM attestation
- CI/CD modernization — CodeQL scanning, Dependabot, reproducible builds with pinned base image digests
| Change | Details |
|---|---|
| Credential removal | Dockerfile.source no longer bakes in minioadmin:minioadmin; MINIO_ROOT_USER/MINIO_ROOT_PASSWORD must be supplied at runtime |
| Binary permissions | Replaced chmod -R 777 /usr/bin with targeted chmod 755 across all Dockerfiles |
| Container health checks | HEALTHCHECK added to all images for orchestrator liveness/readiness signals |
| Signal forwarding | docker-entrypoint.sh uses exec in chroot paths and traps SIGTERM/SIGINT for graceful shutdown |
| PBKDF salt separation | Console encryption uses distinct prefixes for salt and passphrase to prevent reuse weakness |
| JWT algorithm whitelist | Explicit HS256/HS384/HS512 enforcement via AllowedAlgorithms to prevent algorithm confusion attacks |
| Decompression bomb protection | S3 Select enforces 1 GiB maximum decompressed data per request (CVE-2026-39414) |
| Build path sanitization | GOPATH/GOROOT no longer embedded in binary ldflags |
| Change | Details |
|---|---|
| Go toolchain upgraded | go1.24.8 → go1.25.9, all 10 CI workflows updated from Go 1.24.x to 1.25.x |
| Multi-arch Docker | docker buildx build --platform linux/amd64,linux/arm64 with provenance attestation and SBOM generation |
| Docker PR verification | New workflow builds and health-checks Docker image on every PR before merge |
| CodeQL analysis | Automated security scanning on every push and PR |
| Dependabot | Weekly automated updates for Go modules, Docker base images, and GitHub Actions |
| Base image pinning | Alpine 3.21, UBI images pinned to specific digests for reproducible builds |
| Expanded .dockerignore | Excludes docs, helm, buildscripts, IDE configs to reduce build context |
| Deprecated actions replaced | actions/create-release replaced with gh release create |
| Concurrency cancellation | Prevents conflicting workflow runs on rapid pushes |
- Makefile sanitized: removed MinIO-internal hotfix infrastructure (SCP, minisign, apt); default registry changed to
ghcr.io/cbuntingde - Layer caching enabled: removed
--no-cachefrom Docker build targets - Additional linters enabled:
gosec,bodyclose,noctxfor security and correctness
- Governance: Automated
govulncheckanalysis on every push and PR using thevulncheck.ymlworkflow, ensuring no dependency with a known CVE reaches production - Go toolchain: Upgraded from
go1.24.8togo1.25.9, patching 8 standard library CVEs (crypto/x509,crypto/tls,archive/tar,html/template,os,net/url,internal/syscall/unix) - Module updates:
golang.org/x/cryptov0.37.0 → v0.46.0 — Go SSH unbounded memory allocation (GO-2025-4134)golang.org/x/netv0.39.0 → v0.48.0 — Infinite parsing loop (GO-2026-4441/4440)github.com/eclipse/paho.mqtt.golangv1.5.0 → v1.5.1 — String encoding overflow (GO-2025-4173)go.opentelemetry.io/otel/sdkv1.35.0 → v1.40.0 — Arbitrary code execution (GO-2026-4394)google.golang.org/grpcv1.72.0 → v1.79.3 — Authorization bypass (GO-2026-4762)github.com/buger/jsonparserv1.1.1 → v1.1.2 — Denial of service (GO-2026-4514)filippo.io/edwards25519v1.1.0 → v1.1.1 — Invalid result / undefined behavior (GO-2026-4503)
apiVersionupdated to v2 (Helm 3+)- HorizontalPodAutoscaler template with configurable CPU/memory scaling
- KMS environment variables documented in values
- Default image points to
ghcr.io/cbuntingde/minio
Grid-based storage RPC handlers accept context.Context where the framework supports it; SingleHandler-based handlers retain context.Background() pending upstream grid framework changes.
The ?cors endpoints were previously stubs returning ErrNotImplemented or ErrNoSuchCORSConfiguration. They are now fully functional:
- PUT
/?cors— Store per-bucket CORS configuration with full validation (required origins/methods, allowed methods whitelist, non-negative MaxAgeSeconds) - GET
/?cors— Return stored CORS configuration XML - DELETE
/?cors— Remove bucket CORS configuration - CORS configuration is persisted in the bucket metadata system, replicated across distributed nodes, and importable/exportable via the admin API
Files changed:
internal/bucket/cors/cors.go— CORS XML types, parsing, validation, wildcard origin matchinginternal/bucket/cors/cors_test.go— 36 unit tests covering parsing, validation, origin matching, round-trip serialization, nil safetycmd/bucket-cors-handlers.go— HTTP handlers (PUT/GET/DELETE)cmd/bucket-metadata.go—CORSConfigXML,CORSConfigUpdatedAtfields withparseAllConfigsintegrationcmd/bucket-metadata-sys.go—updateAndParsecase,GetCORSConfigmethodcmd/bucket-metadata_gen.go— Auto-generated msgp marshalingcmd/api-router.go— Route registration, removal fromrejectedBucketAPIscmd/dummy-handlers.go— Removal of stub CORS handlerscmd/object-api-errors.go—BucketCORSConfigNotFounderror typecmd/api-errors.go—toAPIErrormappingcmd/admin-bucket-handlers.go— Export/import support
SQL-queryable object metadata search via GET /{bucket}?metadata-query&q=<SQL>:
- Index: Lazily built on first query per bucket via
ListObjectsscan; cached in memory with 5-minute TTL and double-checked locking for concurrent safety - SQL subset:
SELECT <fields> FROM <bucket> WHERE <conditions> [ORDER BY <field> [ASC|DESC]] [LIMIT <n>] - Supported operators:
=,!=,<,>,<=,>=,LIKE(%/_wildcards),CONTAINS,AND,OR,NOT, parentheses - Queryable fields: System fields (
name,size,last_modified,etag,content_type) and all user-defined metadata (x-amz-meta-*,x-minio-meta-*) - Response: XML with matching objects and their metadata entries
- Authorization: Requires
ListBucketpermission on the target bucket
Files changed:
cmd/metadata-search.go— Core engine: per-bucket index, SQL tokenizer, recursive descent parser, query executor, LIKE matchercmd/bucket-metadata-search-handlers.go— HTTP handler with auth, bucket validation, parse-then-execute flowcmd/metadata-search_test.go— 50 tests covering parser, execution, LIKE patterns, sorting, XML format, concurrency, invalidatecmd/api-router.go— Route registration for?metadata-querycmd/globals.go—globalMetadataSearchEnginevariable
Full S3 Object Lambda implementation for on-the-fly data transformation on GET, PUT, and HEAD requests:
- Admin API — Create, read, list, and delete Object Lambda Access Points via the admin API (
PUT/DELETE/GET/GET{name}on/minio/admin/v3/object-lambda-ap/{name}) - Transformation framework —
LambdaTransformationtype dispatches GET, PUT, and HEAD operations to registered handlers with request/response transformation support - Lambda invocation —
LambdaTargetperforms SigV4 signed HTTP POST directly to Lambda Function URLs; no SDK dependency - Content classes —
GetObjectClass(transform on GET),WriteObjectClass(transform on PUT),SelectObjectContentClass(stub),ListBucketsClass(stub) - Multi-handler routing — Request routing via
x-amz-request-routeandx-amz-request-tokenheaders (AWS S3 Object Lambda protocol)
Files changed:
cmd/object-lambda-sys.go—ObjectLambdaSysmanagement layer:AddAccessPoint,RemoveAccessPoint,GetConfig,GetAll,Delete;LambdaArgswithFunctionURL,TransformationConfiguration;logOnceIfadapter bridginglogger.LogOnceIftologger.LogOncecmd/object-lambda-access-points.go— Admin API handlers:PutObjectLambdaAccessPoint,RemoveObjectLambdaAccessPoint,ListObjectLambdaAccessPoints,GetObjectLambdaAccessPoint; all usevalidateAdminReqand return proper*APIErrorcmd/object-lambda-handlers.go— Extended:PutObjectLambdaHandler,HeadObjectLambdaHandler,GetObjectLambdaHandler(existing) — all dispatch to registered access point transformationscmd/api-router.go— Registered GET/PUT/HEAD routes for?lambdaArnquery paramcmd/admin-router.go— Registered 4 admin routes for object-lambda-apcmd/api-errors.go— AddedErrNoSuchObjectLambdaAccessPointcmd/globals.go— AddedglobalObjectLambdaSysinternal/config/lambda/event/objectlambda.go—ObjectLambdaAccessPoint,ObjectLambdaConfig,TransformationConfiguration,ContentTransformationstructs;GetObjectClass,WriteObjectClass,SelectObjectContentClass,ListBucketsClassconstantsinternal/config/lambda/target/lambda.go—LambdaTargetfor direct HTTP SigV4 Lambda Function URL invocation with configurable timeoutinternal/config/lambda/event/event.go— AddedPutObjectContext,WriteObjectClassconstants
An enterprise feature gap analysis was conducted comparing MinIO against AWS S3, Ceph RGW, SeaweedFS, Scality, Cloudian, Pure FlashBlade, Dell ObjectScale, and others. The full analysis is documented in enterprise-plan.md (gitignored). Planned phases:
| Phase | Features | Objective |
|---|---|---|
| 1 | ✅ CORS, Bucket Logging, Object Ownership, MFA | Close AWS S3 compatibility gaps |
| 2 | ✅ Metadata Search, S3 Access Points, Rate Limiting/QoS | Multi-tenant enterprise readiness |
| 3 | ✅ S3 Select, S3 Inventory, Cold Storage Tier | Feature parity with enterprise offerings |
| 4 | ✅ S3 Object Lambda, S3 Batch Operations | Data processing on storage |
| 5 | Multi-Region Access Points, POSIX/NFS Gateway, S3 Tables | Enterprise differentiation |
This repository follows the standard MinIO architecture with the following key structural notes for developers:
| Area | Path | Description |
|---|---|---|
| Entrypoint | main.go → cmd/main.go |
Imports internal/init first, delegates to cmd.Main() |
| S3 API Router | cmd/api-router.go |
All S3-compatible API route registration; stub/rejected APIs in dummy-handlers.go and rejectedBucketAPIs |
| Admin Router | cmd/admin-router.go |
Admin API routes |
| Object Layer | cmd/erasure-server-pool.go |
Erasure-coded, multi-pool object storage implementation |
| Bucket Metadata | cmd/bucket-metadata.go |
Combined .metadata.bin (MsgPack) storing all per-bucket configs |
| Configuration Storage | cmd/bucket-metadata-sys.go |
In-memory cache + persistence via updateAndParse / Delete |
| IAM & Identity | cmd/iam.go, internal/config/identity/ |
Built-in IAM, LDAP, OIDC, TLS cert, plugin identity providers |
| Replication | cmd/bucket-replication.go, cmd/site-replication.go |
Bucket and multi-site active-active replication |
| Cold Storage/Tiering | cmd/tier.go, cmd/warm-backend-*.go |
Tiering to Azure, GCS, S3-compatible backends |
| Peer Communication | internal/grid/ |
Grid-based peer RPC for distributed mode |
| Notifications | internal/event/target/ |
AMQP, Kafka, MQTT, MySQL, NATS, NSQ, PostgreSQL, Redis, Webhook |
The full upstream deployment documentation (Docker, Kubernetes, Helm, monitoring, troubleshooting, tuning) is available in README-MINIO.md.
# Build binary
go build -tags kqueue -trimpath --ldflags "$(go run buildscripts/gen-ldflags.go)" -o minio .
# Run (single node)
minio server /data
# Run (distributed, 4 nodes)
minio server http://minio{1...4}/data{1...4}
# Code generation (msgp + stringer)
go generate ./...
# Run all linters
make lint
# Run unit tests
make test
# Run race detector
make test-raceRequired environment variables: MINIO_ROOT_USER, MINIO_ROOT_PASSWORD
See AGENTS.md for the full developer reference including testing targets, build system details, and architecture guidance.
- Source Code: GNU AGPL v3
- Documentation: CC BY 4.0
This project is based on the original MinIO repository (archived February 2026).