| Version | Supported |
|---|---|
| 1.5.x | ✅ |
| 1.4.x | ✅ |
| 1.3.x | ✅ |
| 1.2.x | ❌ |
| < 1.2 | ❌ |
If you discover a security vulnerability in Kubernaut, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email jgil@redhat.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fix (optional)
- Acknowledgment within 48 hours of your report
- Assessment within 5 business days
- Fix timeline communicated after assessment, typically within 30 days for critical issues
- Credit in the release notes (unless you prefer to remain anonymous)
Kubernaut operates with elevated Kubernetes RBAC permissions to perform remediation actions. When deploying:
- Follow the principle of least privilege for service accounts
- Use approval gates (
requiresApproval: true) for destructive remediation workflows - Review workflow schemas before registering them in the catalog
- Restrict access to the DataStorage and HAPI APIs
- Rotate LLM provider credentials regularly
All container images built by Kubernaut's CI and Release pipelines are signed keylessly with Cosign using GitHub Actions OIDC as the signing identity (no long-lived private keys). SBOMs (CycloneDX format) are generated for every image and, for Release images, cryptographically bound to the image digest via Cosign attestation.
| Pipeline | Workflow | Registry | Lifecycle |
|---|---|---|---|
| CI | .github/workflows/ci-pipeline.yml |
ghcr.io/jordigilh/kubernaut/* |
Ephemeral (14-day retention), used by integration/E2E tests |
| Release | .github/workflows/release.yml |
quay.io/kubernaut-ai/* |
Production, tagged v* releases |
Verify a CI image (signed on every push/PR build):
cosign verify \
--certificate-identity-regexp "^https://github.com/jordigilh/kubernaut/\.github/workflows/ci-pipeline\.yml@.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/jordigilh/kubernaut/<service>:<tag>Verify a Release image (signed on v* tag push):
cosign verify \
--certificate-identity-regexp "^https://github.com/jordigilh/kubernaut/\.github/workflows/release\.yml@.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
quay.io/kubernaut-ai/<service>:<version>Release images carry their CycloneDX SBOM as a Cosign attestation, bound to the image digest:
cosign verify-attestation \
--type cyclonedx \
--certificate-identity-regexp "^https://github.com/jordigilh/kubernaut/\.github/workflows/release\.yml@.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
quay.io/kubernaut-ai/<service>:<version>Release images also carry SLSA v1.0 build provenance:
cosign verify-attestation \
--type slsaprovenance \
--certificate-identity-regexp "^https://github.com/jordigilh/kubernaut/\.github/workflows/release\.yml@.*$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
quay.io/kubernaut-ai/<service>:<version>Every push and pull request is automatically scanned by:
| Tool | Workflow | What it catches |
|---|---|---|
| CodeQL | .github/workflows/codeql.yml |
Static analysis (SAST) for common vulnerability classes (injection, path traversal, etc.) |
| govulncheck | scripts/ci/govulncheck-gated.sh |
Known vulnerabilities (OSV) in Go dependencies, gated on actual call-graph reachability |
| gitleaks | .github/workflows/gitleaks.yml |
Hardcoded secrets/credentials, scanning full git history on every push, PR, and weekly schedule |
| OpenSSF Scorecard | .github/workflows/scorecard.yml |
Supply-chain security posture (pinning, permissions, branch protection, etc.) |
Known-benign matches (e.g., fake credentials in the sanitization/redaction test suites, which necessarily contain secret-shaped strings as test input) are tracked in .gitleaks.toml, which documents the full triage rationale inline.
We follow coordinated disclosure. We ask that you give us reasonable time to address the vulnerability before public disclosure.