Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: martin.slanina@svitio.cz

Please include the following information in your report:

• Type of vulnerability (e.g., authentication bypass, code injection, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue - how an attacker might exploit it
• Any special configuration required to reproduce the issue

• We'll acknowledge receipt within 48 hours
• We'll provide a detailed response within 7 days indicating next steps
• We'll keep you informed about our progress toward a fix and full announcement
• We may ask for additional information or guidance

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find any similar problems
3. Prepare fixes for all supported releases
4. Release patches as soon as possible
5. Publish security advisory on GitHub

Once a fix is released, we will:

• Publish a GitHub Security Advisory
• Credit the reporter (unless they prefer to remain anonymous)
• Notify users via release notes
• Update documentation with mitigation steps if needed

When deploying Image Replicator:

• ✅ Use cert-manager for automatic TLS certificate management
• ✅ Ensure webhook uses TLS 1.2 or higher
• ✅ Rotate certificates regularly

• ✅ Store registry credentials in Kubernetes Secrets
• ✅ Use encrypted Secrets at rest (if available)
• ✅ Limit Secret access with RBAC
• ✅ Rotate credentials regularly

• ✅ Use NetworkPolicies to restrict webhook access
• ✅ Only allow traffic from Kubernetes API server
• ✅ Deploy in a dedicated namespace

• ✅ Use least-privilege service accounts
• ✅ Don't grant cluster-admin permissions
• ✅ Review and audit RBAC policies regularly

• ✅ Use specific version tags, not latest
• ✅ Verify image provenance before deployment:

  gh attestation verify oci://ghcr.io/svitio-company/image-replicator:1.0.0 \
    --owner svitio-company

• ✅ Scan images for vulnerabilities regularly
• ✅ Keep the image up-to-date with latest security patches

• ✅ Enable audit logging in Kubernetes
• ✅ Monitor webhook metrics for anomalies
• ✅ Set up alerts for failed validations
• ✅ Review logs regularly for suspicious activity

• ✅ Use dedicated service accounts with minimal permissions
• ✅ Enable audit logging on target registry
• ✅ Monitor for unexpected image pushes
• ✅ Implement image signing/verification

The webhook clones images from source to target registries. Be aware:

• Malicious images: If source registry is compromised, malicious images could be cloned
• Mitigation: Use trusted source registries and implement image scanning

The webhook caches authentication tokens for performance:

• Risk: Tokens are stored in memory
• Mitigation: Tokens expire based on registry configuration, use short-lived tokens when possible

The webhook can block pod creation:

• Risk: Misconfiguration could cause denial of service
• Mitigation: Test thoroughly, use fail-open mode in non-production environments

Subscribe to security advisories:

• Watch this repository for security updates
• Subscribe to GitHub Security Advisories
• Follow release notes for security fixes

This project follows security best practices from:

• CNCF Security Best Practices
• Kubernetes Security Guidelines
• SLSA Framework (Level 3)
• OWASP Secure Coding Practices

For security-related questions that are not vulnerabilities, open a GitHub discussion or contact maintainers.