Open source & cloud-agnostic data activation tools.
This repository is a catch all repository for security related documentation, disclosures, advisories, and other security related content not covered by our other existing repositories. If you have an issue specific to one of our other repositories, please report it there.
You can find more information about DataKit and our security practices at https://withdatakit.com/security.
We take security issues seriously. If you discover a vulnerability in DataKit, please follow these steps:
-
Do not publicly disclose security vulnerabilities.
-
Report the issue privately to our security team preferably using Github Advisories or by secure email.
π§ Email: security@withdatakit.com
π GPG Key: datakit-security.pub.asc
For more details visit https://withdatakit.com/security/researchers#responsible-disclosure
When reporting a vulnerability, please provide:
- A detailed description of the issue.
- Steps to reproduce (if possible).
- The affected version(s).
- Any potential mitigation or patch ideas.
We will acknowledge your report within 48 hours and keep you updated on the progress.
To securely use DataKit, follow these best practices:
Only download DataKit artifacts from official sources like dtkt.dev or from our GitHub Releases.
DataKit artifacts are signed using Cosign. Before using a downloaded artifact, verify its integrity:
cosign verify-blob \
--key https://dtkt.dev/.well-known/cosign.pub \
--signature artifact.sig \
artifactRegularly scan artifacts for vulnerabilities.
For example:
grype artifact
# or (more efficiently with our pre-generated sbom)
grype sbom:artifact.sbom.spdx.jsonSince we currently only support the latest stable release, always update artifacts to the latest version.
We use the following tools to ensure the security of our OSS code repositories, artifacts, and deployments. Some are language dependent, while others are general security tools.
- GitHub Secret Scanning β Detects and prevents secrets from being committed to repositories.
- Go Report Card β Generates a report on the quality of a Go project.
- golangci-lint β A fast linters runner for Go, catching security and quality issues early.
- GitHub CodeQL β Analyzes source code for security vulnerabilities.
- Go Fuzzing β Helps find security vulnerabilities and bugs by fuzz testing Go code.
- Dependabot β Automatically detects and updates vulnerable dependencies in our project.
- syft β Generates a Software Bill of Materials (SBOM) for tracking dependencies.
- grype β Scans images, projects, and SBOM data for known vulnerabilities (CVE detection).
- cosign β Ensures binary authenticity and integrity by signing artifacts.
- OpenSSF Best Practices β Provides a set of best practices for secure software development.
- OpenSSF Scorecard β Evaluates the security posture of our open source project based on best practices.
- kubescape β Scans Kubernetes manifests and clusters for misconfigurations and vulnerabilities.
- kube-score β Analyzes Kubernetes object definitions to ensure best practices.
- kubesec β Scans Kubernetes manifests and performs security risk analysis.
This security stack helps ensure that our OSS code repositories, artifacts, and deployments remains safe, reliable, and compliant with industry best practices.
| Timeframe | Action |
|---|---|
| 0-2 days | Acknowledge vulnerability report |
| 3-7 days | Investigate and confirm vulnerability |
| 7-14 days | Develop a patch or mitigation |
| 14+ days | Release a fix and notify users |
Critical vulnerabilities may receive expedited patches and releases.
We appreciate the efforts of security researchers who help us improve DataKit. If youβd like to be publicly credited for reporting a vulnerability on our Hall of Fame, let us know! ποΈ
Developed with β€οΈ by DataKit