Skip to Content
TutorialsSecuring n8n

Securing n8n

Scan, fix, and verify n8n workflows in 10 minutes.

1. Install

go install github.com/inkog-io/inkog/cmd/inkog@latest

2. Export Workflows

# Via n8n CLI
n8n export:workflow --all --output=./workflows
 
# Or via API
curl -X GET "http://localhost:5678/api/v1/workflows" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -o workflows.json

3. Scan

inkog scan ./workflows

Example output:

workflow_123.json:1:1: CRITICAL [infinite_loop]
  Workflow cycle detected: AI Agent → Tool → AI Agent

  nodes: ["AI Agent", "HTTP Request", "AI Agent"]
  edges: creates cycle

  OWASP LLM08

workflow_123.json:1:1: CRITICAL [hardcoded_credentials]
  API key in node configuration

  node: "OpenAI"
  field: "credentials.apiKey"

  CWE-798

─────────────────────────────────────────
2 findings (2 critical)

3. Fix

Fix 1: Break workflow cycles

// Before: Cycle
{
  "nodes": [
    {"name": "AI Agent", "type": "n8n-nodes-base.agent"},
    {"name": "Tool", "type": "n8n-nodes-base.httpRequest"},
    {"name": "AI Agent", "type": "n8n-nodes-base.agent"}
  ],
  "connections": {
    "AI Agent": {"main": [["Tool"]]},
    "Tool": {"main": [["AI Agent"]]}  // Cycle!
  }
}
 
// After: Linear with retry limit
{
  "nodes": [
    {"name": "AI Agent", "type": "n8n-nodes-base.agent",
     "parameters": {"maxIterations": 10}},
    {"name": "Tool", "type": "n8n-nodes-base.httpRequest"},
    {"name": "Output", "type": "n8n-nodes-base.set"}
  ],
  "connections": {
    "AI Agent": {"main": [["Tool"]]},
    "Tool": {"main": [["Output"]]}  // Terminal
  }
}

Fix 2: Use n8n credentials store

In n8n UI:

  1. Settings → Credentials → Add Credential
  2. Select “OpenAI API”
  3. Enter API key
  4. Reference in node: {{ $credentials.openaiApi.apiKey }}

4. Verify

inkog scan ./workflows

Expected:

─────────────────────────────────────────
0 findings
Security Gate: PASSED

5. Add to CI

# .github/workflows/security.yml
name: Security
on: [push, pull_request]
 
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      # Export workflows from n8n
      - name: Export workflows
        run: |
          curl -X GET "$N8N_URL/api/v1/workflows" \
            -H "X-N8N-API-KEY: $N8N_API_KEY" \
            -o workflows.json
 
      - uses: inkog-io/inkog-action@v1
        with:
          path: ./workflows.json
          fail-on: critical

Common Fixes

FindingFix
infinite_loopAdd maxIterations to Agent nodes
workflow_cycleRemove circular connections
hardcoded_credentialsUse n8n credentials store
code_executionAvoid Code node with user input

n8n Agent Node Settings

Always configure these on AI Agent nodes:

{
  "type": "n8n-nodes-base.agent",
  "parameters": {
    "maxIterations": 10,
    "timeout": 60000,
    "returnIntermediateSteps": false
  }
}

Next

Last updated on
Securing CrewAIIntegrations