Merge branch 'master' into shard-by-url

2026-04-21 17:07:16 +00:00 · 2024-07-20 19:49:06 +10:00 · 2024-07-20 19:49:06 +10:00 · 2fe7ca4692
commit 2fe7ca4692
parent 5a3256db88 64b76f2fa0
267 changed files with 5726 additions and 746 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@ -31,7 +31,7 @@ jobs:
      docs: ${{ steps.filter.outputs.docs_any_changed }}
    steps:
      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44.5.5
+      - uses: tj-actions/changed-files@6b2903bdce6310cfbddd87c418f253cf29b2dec9 # v44.5.6
        id: filter
        with:
          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
@ -464,7 +464,7 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull ghcr.io/dexidp/dex:v2.38.0
+          docker pull ghcr.io/dexidp/dex:v2.40.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
          docker pull redis:7.0.15-alpine
      - name: Create target directory for binaries in the build-process
--- a/.github/workflows/image-reuse.yaml
+++ b/.github/workflows/image-reuse.yaml
@ -143,7 +143,7 @@ jobs:

      - name: Build and push container image
        id: image
-        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c #v6.3.0
+        uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 #v6.4.1
        with:
          context: .
          platforms: ${{ inputs.platforms }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -197,7 +197,7 @@ jobs:
          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
      
      - name: Upload SBOM
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/USERS.md
+++ b/USERS.md
@ -172,6 +172,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Kurly](https://www.kurly.com/)
 1. [Kvist](https://kvistsolutions.com)
 1. [Kyriba](https://www.kyriba.com/)
+1. [Lely](https://www.lely.com/)
 1. [LexisNexis](https://www.lexisnexis.com/)
 1. [Lian Chu Securities](https://lczq.com)
 1. [Liatrio](https://www.liatrio.com)
@ -202,6 +203,8 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
 1. [MTN Group](https://www.mtn.com/)
+1. [Municipality of The Hague](https://www.denhaag.nl/)
+1. [My Job Glasses](https://myjobglasses.com)
 1. [Natura &Co](https://naturaeco.com/)
 1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@ -142,7 +142,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
 			}, parametersGenerated,
 		)
-		return ctrl.Result{}, err
+		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, err
 	}

 	parametersGenerated = true
--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
@ -1875,6 +1875,58 @@ func TestGetMinRequeueAfter(t *testing.T) {
 	assert.Equal(t, time.Duration(1)*time.Second, got)
 }

+func TestRequeueGeneratorFails(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	err = v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+
+	appSet := v1alpha1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "name",
+			Namespace: "argocd",
+		},
+		Spec: v1alpha1.ApplicationSetSpec{
+			Generators: []v1alpha1.ApplicationSetGenerator{{
+				PullRequest: &v1alpha1.PullRequestGenerator{},
+			}},
+		},
+	}
+	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).Build()
+
+	generator := v1alpha1.ApplicationSetGenerator{
+		PullRequest: &v1alpha1.PullRequestGenerator{},
+	}
+
+	generatorMock := mocks.Generator{}
+	generatorMock.On("GetTemplate", &generator).
+		Return(&v1alpha1.ApplicationSetTemplate{})
+	generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+		Return([]map[string]interface{}{}, fmt.Errorf("Simulated error generating params that could be related to an external service/API call"))
+
+	r := ApplicationSetReconciler{
+		Client:   client,
+		Scheme:   scheme,
+		Recorder: record.NewFakeRecorder(0),
+		Cache:    &fakeCache{},
+		Generators: map[string]generators.Generator{
+			"PullRequest": &generatorMock,
+		},
+	}
+
+	req := ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: "argocd",
+			Name:      "name",
+		},
+	}
+
+	res, err := r.Reconcile(context.Background(), req)
+	require.Error(t, err)
+	assert.Equal(t, ReconcileRequeueOnValidationError, res.RequeueAfter)
+}
+
 func TestValidateGeneratedApplications(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@ -232,7 +232,7 @@ func NewCommand() *cobra.Command {
 			"Enabling this will ensure there is only one active controller manager.")
 	command.Flags().StringSliceVar(&applicationSetNamespaces, "applicationset-namespaces", env.StringsFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES", []string{}, ","), "Argo CD applicationset namespaces")
 	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Argo CD repo server address")
-	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", ""), "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion), 'create-delete' (no update)")
+	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", ""), "Modify how application is synced between the generator and the cluster. Default is '' (empty), which means AppSets default to 'sync', but they may override that default. Setting an explicit value prevents AppSet-level overrides, unless --allow-policy-override is enabled. Explicit options are: 'sync' (create & update & delete), 'create-only', 'create-update' (no deletion), 'create-delete' (no update)")
 	command.Flags().BoolVar(&enablePolicyOverride, "enable-policy-override", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE", policy == ""), "For security reason if 'policy' is set, it is not possible to override it at applicationSet level. 'allow-policy-override' allows user to define their own policy")
 	command.Flags().BoolVar(&debugLog, "debug", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG", false), "Print debug logs. Takes precedence over loglevel")
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
--- a/cmd/argocd/commands/admin/cluster.go
+++ b/cmd/argocd/commands/admin/cluster.go
@ -106,14 +106,9 @@ func loadClusters(ctx context.Context, kubeClient *kubernetes.Clientset, appClie
 		}

 		redisOptions := &redis.Options{Addr: fmt.Sprintf("localhost:%d", port)}
-
-		secret, err := kubeClient.CoreV1().Secrets(namespace).Get(context.Background(), defaulRedisInitialPasswordSecretName, v1.GetOptions{})
-		if err == nil {
-			if _, ok := secret.Data[defaultResisInitialPasswordKey]; ok {
-				redisOptions.Password = string(secret.Data[defaultResisInitialPasswordKey])
-			}
+		if err = common.SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, namespace, redisOptions); err != nil {
+			log.Warnf("Failed to fetch & set redis password for namespace %s: %v", namespace, err)
 		}
-
 		client := redis.NewClient(redisOptions)
 		compressionType, err := cacheutil.CompressionTypeFromString(redisCompressionStr)
 		if err != nil {
--- a/cmd/argocd/commands/admin/project_allowlist_test.go
+++ b/cmd/argocd/commands/admin/project_allowlist_test.go
@ -17,5 +17,5 @@ func TestProjectAllowListGen(t *testing.T) {

 	globalProj, err := generateProjectAllowList(resourceList, "testdata/test_clusterrole.yaml", "testproj")
 	require.NoError(t, err)
-	assert.Positive(t, len(globalProj.Spec.NamespaceResourceWhitelist))
+	assert.NotEmpty(t, globalProj.Spec.NamespaceResourceWhitelist)
 }
--- a/cmd/argocd/commands/admin/redis_initial_password.go
+++ b/cmd/argocd/commands/admin/redis_initial_password.go
@ -6,25 +6,18 @@ import (
 	"fmt"
 	"math/big"

+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
-
-	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/util/cli"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"

+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
-
-	"github.com/spf13/cobra"
-	corev1 "k8s.io/api/core/v1"
-)
-
-const (
-	defaulRedisInitialPasswordSecretName = "argocd-redis"
-	defaultResisInitialPasswordKey       = "auth"
 )

 func generateRandomPassword() (string, error) {
@ -52,8 +45,8 @@ func NewRedisInitialPasswordCommand() *cobra.Command {
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)

-			redisInitialPasswordSecretName := defaulRedisInitialPasswordSecretName
-			redisInitialPasswordKey := defaultResisInitialPasswordKey
+			redisInitialPasswordSecretName := common.DefaultRedisInitialPasswordSecretName
+			redisInitialPasswordKey := common.DefaultRedisInitialPasswordKey
 			fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialPasswordSecretName, redisInitialPasswordKey)

 			config, err := clientConfig.ClientConfig()
--- a/cmd/argocd/commands/headless/headless.go
+++ b/cmd/argocd/commands/headless/headless.go
@ -8,16 +8,11 @@ import (
 	"sync"
 	"time"

-	"github.com/spf13/cobra"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
-	"github.com/argoproj/argo-cd/v2/common"
-
 	"github.com/alicebob/miniredis/v2"
 	"github.com/golang/protobuf/ptypes/empty"
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/runtime"
@ -26,7 +21,10 @@ import (
 	cache2 "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"

+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
+	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
@ -254,13 +252,18 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 		return fmt.Errorf("error running miniredis: %w", err)
 	}
 	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression, redisHaProxyName: clientOpts.RedisHaProxyName, redisName: clientOpts.RedisName}), time.Hour)
+
+	redisOptions := &redis.Options{Addr: mr.Addr()}
+	if err = common.SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClientset, namespace, redisOptions); err != nil {
+		log.Warnf("Failed to fetch & set redis password for namespace %s: %v", namespace, err)
+	}
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:              false,
 		Namespace:               namespace,
 		ListenPort:              *port,
 		AppClientset:            appClientset,
 		DisableAuth:             true,
-		RedisClient:             redis.NewClient(&redis.Options{Addr: mr.Addr()}),
+		RedisClient:             redis.NewClient(redisOptions),
 		Cache:                   servercache.NewCache(appstateCache, 0, 0, 0),
 		KubeClientset:           kubeClientset,
 		DynamicClientset:        dynamicClientset,
--- a/cmd/util/cluster_test.go
+++ b/cmd/util/cluster_test.go
@ -1,7 +1,6 @@
 package util

 import (
-	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -53,8 +52,8 @@ func Test_newCluster(t *testing.T) {
 		&v1alpha1.AWSAuthConfig{},
 		&v1alpha1.ExecProviderConfig{}, labels, nil)

-	assert.True(t, strings.Contains(string(clusterWithFiles.Config.CertData), "test-cert-data"))
-	assert.True(t, strings.Contains(string(clusterWithFiles.Config.KeyData), "test-key-data"))
+	assert.Contains(t, string(clusterWithFiles.Config.CertData), "test-cert-data")
+	assert.Contains(t, string(clusterWithFiles.Config.KeyData), "test-key-data")
 	assert.Equal(t, "", clusterWithFiles.Config.BearerToken)
 	assert.Equal(t, labels, clusterWithFiles.Labels)
 	assert.Nil(t, clusterWithFiles.Annotations)
--- a/cmpserver/apiclient/plugin.pb.go
+++ b/cmpserver/apiclient/plugin.pb.go
@ -11,6 +11,7 @@ import (
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	io "io"
 	math "math"
 	math_bits "math/bits"
@ -467,6 +468,54 @@ func (m *File) GetChunk() []byte {
 	return nil
 }

+// CheckPluginConfigurationResponse contains a list of plugin configuration flags.
+type CheckPluginConfigurationResponse struct {
+	IsDiscoveryConfigured bool     `protobuf:"varint,1,opt,name=isDiscoveryConfigured,proto3" json:"isDiscoveryConfigured,omitempty"`
+	XXX_NoUnkeyedLiteral  struct{} `json:"-"`
+	XXX_unrecognized      []byte   `json:"-"`
+	XXX_sizecache         int32    `json:"-"`
+}
+
+func (m *CheckPluginConfigurationResponse) Reset()         { *m = CheckPluginConfigurationResponse{} }
+func (m *CheckPluginConfigurationResponse) String() string { return proto.CompactTextString(m) }
+func (*CheckPluginConfigurationResponse) ProtoMessage()    {}
+func (*CheckPluginConfigurationResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_b21875a7079a06ed, []int{7}
+}
+func (m *CheckPluginConfigurationResponse) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *CheckPluginConfigurationResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_CheckPluginConfigurationResponse.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *CheckPluginConfigurationResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CheckPluginConfigurationResponse.Merge(m, src)
+}
+func (m *CheckPluginConfigurationResponse) XXX_Size() int {
+	return m.Size()
+}
+func (m *CheckPluginConfigurationResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_CheckPluginConfigurationResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CheckPluginConfigurationResponse proto.InternalMessageInfo
+
+func (m *CheckPluginConfigurationResponse) GetIsDiscoveryConfigured() bool {
+	if m != nil {
+		return m.IsDiscoveryConfigured
+	}
+	return false
+}
+
 func init() {
 	proto.RegisterType((*AppStreamRequest)(nil), "plugin.AppStreamRequest")
 	proto.RegisterType((*ManifestRequestMetadata)(nil), "plugin.ManifestRequestMetadata")
@ -475,48 +524,54 @@ func init() {
 	proto.RegisterType((*RepositoryResponse)(nil), "plugin.RepositoryResponse")
 	proto.RegisterType((*ParametersAnnouncementResponse)(nil), "plugin.ParametersAnnouncementResponse")
 	proto.RegisterType((*File)(nil), "plugin.File")
+	proto.RegisterType((*CheckPluginConfigurationResponse)(nil), "plugin.CheckPluginConfigurationResponse")
 }

 func init() { proto.RegisterFile("cmpserver/plugin/plugin.proto", fileDescriptor_b21875a7079a06ed) }

 var fileDescriptor_b21875a7079a06ed = []byte{
-	// 576 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x94, 0xdd, 0x6e, 0x12, 0x4f,
-	0x14, 0xc0, 0xbb, 0x85, 0xb6, 0x70, 0x68, 0xf2, 0x27, 0x93, 0x7f, 0x74, 0x25, 0x2d, 0xe2, 0x5e,
-	0x18, 0x6e, 0x84, 0x04, 0xbd, 0x35, 0xb1, 0x55, 0x6c, 0xa3, 0xc1, 0x90, 0xa9, 0x37, 0x7a, 0x37,
-	0x1d, 0x0e, 0x30, 0x76, 0x77, 0x66, 0x9c, 0x99, 0xdd, 0x04, 0xbd, 0xf1, 0x3d, 0x7c, 0x00, 0x5f,
-	0xc5, 0x4b, 0x1f, 0xc1, 0xf4, 0x49, 0x0c, 0xb3, 0xbb, 0x40, 0x6c, 0x8b, 0x57, 0x7b, 0x3e, 0x7f,
-	0x7b, 0xbe, 0x32, 0x70, 0xcc, 0x13, 0x6d, 0xd1, 0x64, 0x68, 0xfa, 0x3a, 0x4e, 0x67, 0x42, 0x16,
-	0x9f, 0x9e, 0x36, 0xca, 0x29, 0xb2, 0x9f, 0x6b, 0xad, 0xe1, 0x4c, 0xb8, 0x79, 0x7a, 0xd9, 0xe3,
-	0x2a, 0xe9, 0x33, 0x33, 0x53, 0xda, 0xa8, 0x4f, 0x5e, 0x78, 0xc2, 0x27, 0xfd, 0x6c, 0xd0, 0x37,
-	0xa8, 0x55, 0x81, 0xf1, 0xa2, 0x70, 0xca, 0x2c, 0x36, 0xc4, 0x1c, 0x17, 0x7d, 0x0b, 0xa0, 0x79,
-	0xa2, 0xf5, 0x85, 0x33, 0xc8, 0x12, 0x8a, 0x9f, 0x53, 0xb4, 0x8e, 0x3c, 0x87, 0x5a, 0x82, 0x8e,
-	0x4d, 0x98, 0x63, 0x61, 0xd0, 0x09, 0xba, 0x8d, 0xc1, 0xc3, 0x5e, 0x51, 0xc4, 0x88, 0x49, 0x31,
-	0x45, 0xeb, 0x8a, 0xd0, 0x51, 0x11, 0x76, 0xbe, 0x43, 0x57, 0x29, 0x24, 0x82, 0xea, 0x54, 0xc4,
-	0x18, 0xee, 0xfa, 0xd4, 0xc3, 0x32, 0xf5, 0xb5, 0x88, 0xf1, 0x7c, 0x87, 0x7a, 0xdf, 0x69, 0x1d,
-	0x0e, 0x4c, 0x8e, 0x88, 0x7e, 0x04, 0x70, 0xff, 0x0e, 0x2c, 0x09, 0xe1, 0x80, 0x69, 0xfd, 0x8e,
-	0x25, 0xe8, 0x0b, 0xa9, 0xd3, 0x52, 0x25, 0x6d, 0x00, 0xa6, 0x35, 0xc5, 0x78, 0xcc, 0xdc, 0xdc,
-	0xff, 0xaa, 0x4e, 0x37, 0x2c, 0xa4, 0x05, 0x35, 0x3e, 0x47, 0x7e, 0x65, 0xd3, 0x24, 0xac, 0x78,
-	0xef, 0x4a, 0x27, 0x04, 0xaa, 0x56, 0x7c, 0xc1, 0xb0, 0xda, 0x09, 0xba, 0x15, 0xea, 0x65, 0x12,
-	0x41, 0x05, 0x65, 0x16, 0xee, 0x75, 0x2a, 0xdd, 0xc6, 0xa0, 0x59, 0xd6, 0x3c, 0x94, 0xd9, 0x50,
-	0x3a, 0xb3, 0xa0, 0x4b, 0x67, 0xf4, 0x0c, 0x6a, 0xa5, 0x61, 0xc9, 0x90, 0xeb, 0xb2, 0xbc, 0x4c,
-	0xfe, 0x87, 0xbd, 0x8c, 0xc5, 0x29, 0x16, 0xe5, 0xe4, 0x4a, 0x34, 0x86, 0xe6, 0xba, 0x3d, 0xab,
-	0x95, 0xb4, 0x48, 0x8e, 0xa0, 0x9e, 0x14, 0x36, 0x1b, 0x06, 0x9d, 0x4a, 0xb7, 0x4e, 0xd7, 0x86,
-	0x65, 0x6f, 0x56, 0xa5, 0x86, 0xe3, 0xfb, 0x85, 0x2e, 0x61, 0x1b, 0x96, 0x68, 0x0a, 0x84, 0xae,
-	0x16, 0xb9, 0x62, 0x76, 0xa0, 0x21, 0xec, 0x45, 0xaa, 0xb5, 0x32, 0x0e, 0x27, 0xbe, 0xb0, 0x1a,
-	0xdd, 0x34, 0x91, 0x1e, 0x10, 0x61, 0x5f, 0x09, 0xcb, 0x55, 0x86, 0x66, 0x31, 0x94, 0xec, 0x32,
-	0xc6, 0x89, 0xe7, 0xd7, 0xe8, 0x2d, 0x9e, 0xe8, 0x2b, 0xb4, 0xc7, 0xcc, 0xb0, 0x04, 0x1d, 0x1a,
-	0x7b, 0x22, 0xa5, 0x4a, 0x25, 0xc7, 0x04, 0xe5, 0xba, 0x8f, 0x0f, 0x70, 0x4f, 0x97, 0x11, 0x9b,
-	0x01, 0x79, 0x53, 0x8d, 0xc1, 0xa3, 0xde, 0xc6, 0xc5, 0x8d, 0x6f, 0x8b, 0xa4, 0x77, 0x00, 0xa2,
-	0x23, 0xa8, 0x2e, 0x2f, 0x66, 0x39, 0x54, 0x3e, 0x4f, 0xe5, 0x95, 0x6f, 0xe8, 0x90, 0xe6, 0xca,
-	0xe0, 0xfb, 0x2e, 0x1c, 0xbf, 0x54, 0x72, 0x2a, 0x66, 0x23, 0x26, 0xd9, 0xcc, 0xe7, 0x8c, 0xfd,
-	0xce, 0x2e, 0xd0, 0x64, 0x82, 0x23, 0x79, 0x03, 0xcd, 0x33, 0x94, 0x68, 0x98, 0xc3, 0x72, 0xfc,
-	0x24, 0x2c, 0xf7, 0xfa, 0xf7, 0xc9, 0xb7, 0xc2, 0x9b, 0x07, 0x9e, 0xb7, 0x18, 0xed, 0x74, 0x03,
-	0xf2, 0x16, 0xfe, 0x1b, 0x31, 0xc7, 0xe7, 0xeb, 0xa9, 0x6f, 0x41, 0xb5, 0x4a, 0xcf, 0xcd, 0x1d,
-	0x79, 0x18, 0x83, 0x07, 0x67, 0xe8, 0x6e, 0x1f, 0xec, 0x16, 0xec, 0xe3, 0xd2, 0xb3, 0x7d, 0x25,
-	0xcb, 0x5f, 0x9c, 0xbe, 0xf8, 0x79, 0xdd, 0x0e, 0x7e, 0x5d, 0xb7, 0x83, 0xdf, 0xd7, 0xed, 0xe0,
-	0xe3, 0xe0, 0x1f, 0x4f, 0xc5, 0xfa, 0xc1, 0x61, 0x5a, 0xf0, 0x58, 0xa0, 0x74, 0x97, 0xfb, 0xfe,
-	0x79, 0x78, 0xfa, 0x27, 0x00, 0x00, 0xff, 0xff, 0x23, 0x88, 0x8e, 0xd3, 0x8e, 0x04, 0x00, 0x00,
+	// 650 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x54, 0xc1, 0x6e, 0xd3, 0x4c,
+	0x10, 0x8e, 0x9b, 0xb4, 0x4d, 0x26, 0x95, 0xfe, 0x68, 0xf5, 0x53, 0x4c, 0x68, 0x43, 0xf0, 0x01,
+	0xe5, 0x82, 0x23, 0x85, 0x5e, 0x91, 0x68, 0x4b, 0x68, 0x05, 0x0a, 0x8a, 0xb6, 0x1c, 0x80, 0x03,
+	0xd2, 0xc6, 0x99, 0x24, 0x4b, 0xed, 0xdd, 0x65, 0xbd, 0x8e, 0x14, 0xb8, 0xf0, 0x36, 0xbc, 0x0a,
+	0x47, 0x1e, 0x01, 0xf5, 0x35, 0xb8, 0x20, 0xaf, 0xed, 0x24, 0xa2, 0x69, 0x7b, 0xf2, 0xcc, 0x7c,
+	0xb3, 0xdf, 0x7e, 0xb3, 0x33, 0x63, 0x38, 0x0c, 0x22, 0x15, 0xa3, 0x9e, 0xa3, 0xee, 0xaa, 0x30,
+	0x99, 0x72, 0x91, 0x7f, 0x7c, 0xa5, 0xa5, 0x91, 0x64, 0x27, 0xf3, 0x9a, 0xfd, 0x29, 0x37, 0xb3,
+	0x64, 0xe4, 0x07, 0x32, 0xea, 0x32, 0x3d, 0x95, 0x4a, 0xcb, 0xcf, 0xd6, 0x78, 0x1a, 0x8c, 0xbb,
+	0xf3, 0x5e, 0x57, 0xa3, 0x92, 0x39, 0x8d, 0x35, 0xb9, 0x91, 0x7a, 0xb1, 0x66, 0x66, 0x74, 0xcd,
+	0x87, 0x53, 0x29, 0xa7, 0x21, 0x76, 0xad, 0x37, 0x4a, 0x26, 0x5d, 0x8c, 0x94, 0xc9, 0x41, 0xef,
+	0xbb, 0x03, 0x8d, 0x63, 0xa5, 0x2e, 0x8c, 0x46, 0x16, 0x51, 0xfc, 0x92, 0x60, 0x6c, 0xc8, 0x73,
+	0xa8, 0x46, 0x68, 0xd8, 0x98, 0x19, 0xe6, 0x3a, 0x6d, 0xa7, 0x53, 0xef, 0x3d, 0xf2, 0x73, 0x85,
+	0x03, 0x26, 0xf8, 0x04, 0x63, 0x93, 0xa7, 0x0e, 0xf2, 0xb4, 0xf3, 0x12, 0x5d, 0x1e, 0x21, 0x1e,
+	0x54, 0x26, 0x3c, 0x44, 0x77, 0xcb, 0x1e, 0xdd, 0x2b, 0x8e, 0xbe, 0xe2, 0x21, 0x9e, 0x97, 0xa8,
+	0xc5, 0x4e, 0x6a, 0xb0, 0xab, 0x33, 0x0a, 0xef, 0x87, 0x03, 0xf7, 0x6f, 0xa0, 0x25, 0x2e, 0xec,
+	0x32, 0xa5, 0xde, 0xb2, 0x08, 0xad, 0x90, 0x1a, 0x2d, 0x5c, 0xd2, 0x02, 0x60, 0x4a, 0x51, 0x0c,
+	0x87, 0xcc, 0xcc, 0xec, 0x55, 0x35, 0xba, 0x16, 0x21, 0x4d, 0xa8, 0x06, 0x33, 0x0c, 0x2e, 0xe3,
+	0x24, 0x72, 0xcb, 0x16, 0x5d, 0xfa, 0x84, 0x40, 0x25, 0xe6, 0x5f, 0xd1, 0xad, 0xb4, 0x9d, 0x4e,
+	0x99, 0x5a, 0x9b, 0x78, 0x50, 0x46, 0x31, 0x77, 0xb7, 0xdb, 0xe5, 0x4e, 0xbd, 0xd7, 0x28, 0x34,
+	0xf7, 0xc5, 0xbc, 0x2f, 0x8c, 0x5e, 0xd0, 0x14, 0xf4, 0x8e, 0xa0, 0x5a, 0x04, 0x52, 0x0e, 0xb1,
+	0x92, 0x65, 0x6d, 0xf2, 0x3f, 0x6c, 0xcf, 0x59, 0x98, 0x60, 0x2e, 0x27, 0x73, 0xbc, 0x21, 0x34,
+	0x56, 0xe5, 0xc5, 0x4a, 0x8a, 0x18, 0xc9, 0x01, 0xd4, 0xa2, 0x3c, 0x16, 0xbb, 0x4e, 0xbb, 0xdc,
+	0xa9, 0xd1, 0x55, 0x20, 0xad, 0x2d, 0x96, 0x89, 0x0e, 0xf0, 0xdd, 0x42, 0x15, 0x64, 0x6b, 0x11,
+	0x6f, 0x02, 0x84, 0x2e, 0xbb, 0xbc, 0xe4, 0x6c, 0x43, 0x9d, 0xc7, 0x17, 0x89, 0x52, 0x52, 0x1b,
+	0x1c, 0x5b, 0x61, 0x55, 0xba, 0x1e, 0x22, 0x3e, 0x10, 0x1e, 0xbf, 0xe4, 0x71, 0x20, 0xe7, 0xa8,
+	0x17, 0x7d, 0xc1, 0x46, 0x21, 0x8e, 0x2d, 0x7f, 0x95, 0x6e, 0x40, 0xbc, 0x6f, 0xd0, 0x1a, 0x32,
+	0xcd, 0x22, 0x34, 0xa8, 0xe3, 0x63, 0x21, 0x64, 0x22, 0x02, 0x8c, 0x50, 0xac, 0xea, 0xf8, 0x00,
+	0xfb, 0xaa, 0xc8, 0x58, 0x4f, 0xc8, 0x8a, 0xaa, 0xf7, 0x1e, 0xfb, 0x6b, 0xe3, 0x38, 0xdc, 0x94,
+	0x49, 0x6f, 0x20, 0xf0, 0x0e, 0xa0, 0x92, 0x4e, 0x4c, 0xfa, 0xa8, 0xc1, 0x2c, 0x11, 0x97, 0xb6,
+	0xa0, 0x3d, 0x9a, 0x39, 0xde, 0x7b, 0x68, 0x9f, 0xa6, 0xed, 0x1c, 0xda, 0x3e, 0x9d, 0x4a, 0x31,
+	0xe1, 0xd3, 0x44, 0x33, 0xc3, 0xa5, 0x58, 0x8a, 0x3b, 0x82, 0x7b, 0x6b, 0x45, 0x15, 0x39, 0xcb,
+	0xa7, 0xd9, 0x0c, 0xf6, 0xfe, 0x6c, 0xc1, 0x61, 0xe6, 0x0e, 0x98, 0x60, 0x53, 0xab, 0x26, 0xbb,
+	0xe5, 0x02, 0xf5, 0x9c, 0x07, 0x48, 0x5e, 0x43, 0xe3, 0x0c, 0x05, 0x6a, 0x66, 0xb0, 0x68, 0x2c,
+	0x71, 0x8b, 0x89, 0xf9, 0x77, 0x99, 0x9a, 0xee, 0xf5, 0xd5, 0xc9, 0xf4, 0x79, 0xa5, 0x8e, 0x43,
+	0x3e, 0x81, 0x7b, 0x53, 0x1d, 0x64, 0xdf, 0xcf, 0x36, 0xd7, 0x2f, 0x36, 0xd7, 0xef, 0xa7, 0x9b,
+	0xdb, 0xec, 0x14, 0x8c, 0x77, 0xbd, 0x80, 0x57, 0x22, 0x6f, 0xe0, 0xbf, 0x01, 0x33, 0xc1, 0x6c,
+	0x35, 0x2f, 0xb7, 0x48, 0x6d, 0x16, 0xc8, 0xf5, 0xe9, 0xb2, 0x62, 0x19, 0x3c, 0x38, 0x43, 0xb3,
+	0x79, 0x24, 0x6e, 0xa1, 0x7d, 0x52, 0x20, 0xb7, 0x0f, 0x53, 0x7a, 0xc5, 0xc9, 0x8b, 0x9f, 0x57,
+	0x2d, 0xe7, 0xd7, 0x55, 0xcb, 0xf9, 0x7d, 0xd5, 0x72, 0x3e, 0xf6, 0xee, 0xf8, 0x03, 0xae, 0xfe,
+	0xa3, 0x4c, 0xf1, 0x20, 0xe4, 0x28, 0xcc, 0x68, 0xc7, 0xbe, 0xd6, 0xb3, 0xbf, 0x01, 0x00, 0x00,
+	0xff, 0xff, 0xb5, 0x6b, 0xca, 0xa6, 0x65, 0x05, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
@ -534,6 +589,9 @@ type ConfigManagementPluginServiceClient interface {
 	// GenerateManifests receive a stream containing a tgz archive with all required files necessary
 	// to generate manifests
 	GenerateManifest(ctx context.Context, opts ...grpc.CallOption) (ConfigManagementPluginService_GenerateManifestClient, error)
+	// CheckPluginConfiguration is a pre-flight request  to check the plugin configuration
+	// without sending the whole repo.
+	CheckPluginConfiguration(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*CheckPluginConfigurationResponse, error)
 	// MatchRepository returns whether or not the given application is supported by the plugin
 	MatchRepository(ctx context.Context, opts ...grpc.CallOption) (ConfigManagementPluginService_MatchRepositoryClient, error)
 	// GetParametersAnnouncement gets a list of parameter announcements for the given app
@ -582,6 +640,15 @@ func (x *configManagementPluginServiceGenerateManifestClient) CloseAndRecv() (*M
 	return m, nil
 }

+func (c *configManagementPluginServiceClient) CheckPluginConfiguration(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*CheckPluginConfigurationResponse, error) {
+	out := new(CheckPluginConfigurationResponse)
+	err := c.cc.Invoke(ctx, "/plugin.ConfigManagementPluginService/CheckPluginConfiguration", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *configManagementPluginServiceClient) MatchRepository(ctx context.Context, opts ...grpc.CallOption) (ConfigManagementPluginService_MatchRepositoryClient, error) {
 	stream, err := c.cc.NewStream(ctx, &_ConfigManagementPluginService_serviceDesc.Streams[1], "/plugin.ConfigManagementPluginService/MatchRepository", opts...)
 	if err != nil {
@ -655,6 +722,9 @@ type ConfigManagementPluginServiceServer interface {
 	// GenerateManifests receive a stream containing a tgz archive with all required files necessary
 	// to generate manifests
 	GenerateManifest(ConfigManagementPluginService_GenerateManifestServer) error
+	// CheckPluginConfiguration is a pre-flight request  to check the plugin configuration
+	// without sending the whole repo.
+	CheckPluginConfiguration(context.Context, *emptypb.Empty) (*CheckPluginConfigurationResponse, error)
 	// MatchRepository returns whether or not the given application is supported by the plugin
 	MatchRepository(ConfigManagementPluginService_MatchRepositoryServer) error
 	// GetParametersAnnouncement gets a list of parameter announcements for the given app
@ -668,6 +738,9 @@ type UnimplementedConfigManagementPluginServiceServer struct {
 func (*UnimplementedConfigManagementPluginServiceServer) GenerateManifest(srv ConfigManagementPluginService_GenerateManifestServer) error {
 	return status.Errorf(codes.Unimplemented, "method GenerateManifest not implemented")
 }
+func (*UnimplementedConfigManagementPluginServiceServer) CheckPluginConfiguration(ctx context.Context, req *emptypb.Empty) (*CheckPluginConfigurationResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CheckPluginConfiguration not implemented")
+}
 func (*UnimplementedConfigManagementPluginServiceServer) MatchRepository(srv ConfigManagementPluginService_MatchRepositoryServer) error {
 	return status.Errorf(codes.Unimplemented, "method MatchRepository not implemented")
 }
@ -705,6 +778,24 @@ func (x *configManagementPluginServiceGenerateManifestServer) Recv() (*AppStream
 	return m, nil
 }

+func _ConfigManagementPluginService_CheckPluginConfiguration_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(emptypb.Empty)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ConfigManagementPluginServiceServer).CheckPluginConfiguration(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugin.ConfigManagementPluginService/CheckPluginConfiguration",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ConfigManagementPluginServiceServer).CheckPluginConfiguration(ctx, req.(*emptypb.Empty))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _ConfigManagementPluginService_MatchRepository_Handler(srv interface{}, stream grpc.ServerStream) error {
 	return srv.(ConfigManagementPluginServiceServer).MatchRepository(&configManagementPluginServiceMatchRepositoryServer{stream})
 }
@ -760,7 +851,12 @@ func (x *configManagementPluginServiceGetParametersAnnouncementServer) Recv() (*
 var _ConfigManagementPluginService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "plugin.ConfigManagementPluginService",
 	HandlerType: (*ConfigManagementPluginServiceServer)(nil),
-	Methods:     []grpc.MethodDesc{},
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "CheckPluginConfiguration",
+			Handler:    _ConfigManagementPluginService_CheckPluginConfiguration_Handler,
+		},
+	},
 	Streams: []grpc.StreamDesc{
 		{
 			StreamName:    "GenerateManifest",
@ -1132,6 +1228,43 @@ func (m *File) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }

+func (m *CheckPluginConfigurationResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CheckPluginConfigurationResponse) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *CheckPluginConfigurationResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if m.IsDiscoveryConfigured {
+		i--
+		if m.IsDiscoveryConfigured {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x8
+	}
+	return len(dAtA) - i, nil
+}
+
 func encodeVarintPlugin(dAtA []byte, offset int, v uint64) int {
 	offset -= sovPlugin(v)
 	base := offset
@ -1309,6 +1442,21 @@ func (m *File) Size() (n int) {
 	return n
 }

+func (m *CheckPluginConfigurationResponse) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.IsDiscoveryConfigured {
+		n += 2
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
 func sovPlugin(x uint64) (n int) {
 	return (math_bits.Len64(x|1) + 6) / 7
 }
@ -2127,6 +2275,77 @@ func (m *File) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *CheckPluginConfigurationResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowPlugin
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CheckPluginConfigurationResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CheckPluginConfigurationResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IsDiscoveryConfigured", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IsDiscoveryConfigured = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipPlugin(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func skipPlugin(dAtA []byte) (n int, err error) {
 	l := len(dAtA)
 	iNdEx := 0
--- a/cmpserver/plugin/plugin.go
+++ b/cmpserver/plugin/plugin.go
@ -15,6 +15,7 @@ import (
 	"unicode"

 	"github.com/argoproj/pkg/rand"
+	"github.com/golang/protobuf/ptypes/empty"

 	"github.com/argoproj/argo-cd/v2/cmpserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/common"
@ -446,3 +447,15 @@ func getParametersAnnouncement(ctx context.Context, appDir string, announcements
 	}
 	return repoResponse, nil
 }
+
+func (s *Service) CheckPluginConfiguration(ctx context.Context, _ *empty.Empty) (*apiclient.CheckPluginConfigurationResponse, error) {
+	isDiscoveryConfigured := s.isDiscoveryConfigured()
+	response := &apiclient.CheckPluginConfigurationResponse{IsDiscoveryConfigured: isDiscoveryConfigured}
+
+	return response, nil
+}
+
+func (s *Service) isDiscoveryConfigured() (isDiscoveryConfigured bool) {
+	config := s.initConstants.PluginConfig
+	return config.Spec.Discover.FileName != "" || config.Spec.Discover.Find.Glob != "" || len(config.Spec.Discover.Find.Command.Command) > 0
+}
--- a/cmpserver/plugin/plugin.proto
+++ b/cmpserver/plugin/plugin.proto
@ -4,6 +4,7 @@ option go_package = "github.com/argoproj/argo-cd/v2/cmpserver/apiclient";
 package plugin;

 import "github.com/argoproj/argo-cd/v2/reposerver/repository/repository.proto";
+import "google/protobuf/empty.proto";

 // AppStreamRequest is the request object used to send the application's
 // files over a stream.
@ -57,6 +58,11 @@ message File {
    bytes chunk = 1;
 }

+// CheckPluginConfigurationResponse contains a list of plugin configuration flags.
+message CheckPluginConfigurationResponse {
+    bool isDiscoveryConfigured = 1;
+}
+
 // ConfigManagementPlugin Service
 service ConfigManagementPluginService {
    // GenerateManifests receive a stream containing a tgz archive with all required files necessary
@ -64,6 +70,11 @@ service ConfigManagementPluginService {
    rpc GenerateManifest(stream AppStreamRequest) returns (ManifestResponse) {
    }

+    // CheckPluginConfiguration is a pre-flight request  to check the plugin configuration
+    // without sending the whole repo.
+    rpc CheckPluginConfiguration(google.protobuf.Empty) returns (CheckPluginConfigurationResponse) {
+    }
+
    // MatchRepository returns whether or not the given application is supported by the plugin
    rpc MatchRepository(stream AppStreamRequest) returns (RepositoryResponse) {
    }
--- a/cmpserver/plugin/plugin_test.go
+++ b/cmpserver/plugin/plugin_test.go
@ -12,6 +12,7 @@ import (
 	"testing"
 	"time"

+	"github.com/golang/protobuf/ptypes/empty"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/metadata"
@ -532,6 +533,76 @@ func TestEnviron(t *testing.T) {
 	})
 }

+func TestIsDiscoveryConfigured(t *testing.T) {
+	type fixture struct {
+		service *Service
+	}
+	setup := func(t *testing.T, opts ...pluginOpt) *fixture {
+		t.Helper()
+		cic := buildPluginConfig(opts...)
+		s := NewService(*cic)
+		return &fixture{
+			service: s,
+		}
+	}
+	t.Run("discovery is enabled when is configured by FileName", func(t *testing.T) {
+		// given
+		d := Discover{
+			FileName: "kustomization.yaml",
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		isDiscoveryConfigured := f.service.isDiscoveryConfigured()
+
+		// then
+		assert.True(t, isDiscoveryConfigured)
+	})
+	t.Run("discovery is enabled when is configured by Glob", func(t *testing.T) {
+		// given
+		d := Discover{
+			Find: Find{
+				Glob: "**/*/plugin.yaml",
+			},
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		isDiscoveryConfigured := f.service.isDiscoveryConfigured()
+
+		// then
+		assert.True(t, isDiscoveryConfigured)
+	})
+	t.Run("discovery is enabled when is configured by Command", func(t *testing.T) {
+		// given
+		d := Discover{
+			Find: Find{
+				Command: Command{
+					Command: []string{"echo", "test"},
+				},
+			},
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		isDiscoveryConfigured := f.service.isDiscoveryConfigured()
+
+		// then
+		assert.True(t, isDiscoveryConfigured)
+	})
+	t.Run("discovery is disabled when discover is not configured", func(t *testing.T) {
+		// given
+		d := Discover{}
+		f := setup(t, withDiscover(d))
+
+		// when
+		isDiscoveryConfigured := f.service.isDiscoveryConfigured()
+
+		// then
+		assert.False(t, isDiscoveryConfigured)
+	})
+}
+
 type MockGenerateManifestStream struct {
 	metadataSent    bool
 	fileSent        bool
@ -805,3 +876,44 @@ func Test_getCommandArgsToLog(t *testing.T) {
 		})
 	}
 }
+
+func TestService_CheckPluginConfiguration(t *testing.T) {
+	type fixture struct {
+		service *Service
+	}
+	setup := func(t *testing.T, opts ...pluginOpt) *fixture {
+		t.Helper()
+		cic := buildPluginConfig(opts...)
+		s := NewService(*cic)
+		return &fixture{
+			service: s,
+		}
+	}
+	t.Run("discovery is enabled when is configured", func(t *testing.T) {
+		// given
+		d := Discover{
+			FileName: "kustomization.yaml",
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		resp, err := f.service.CheckPluginConfiguration(context.Background(), &empty.Empty{})
+
+		// then
+		require.NoError(t, err)
+		assert.True(t, resp.IsDiscoveryConfigured)
+	})
+
+	t.Run("discovery is disabled when is not configured", func(t *testing.T) {
+		// given
+		d := Discover{}
+		f := setup(t, withDiscover(d))
+
+		// when
+		resp, err := f.service.CheckPluginConfiguration(context.Background(), &empty.Empty{})
+
+		// then
+		require.NoError(t, err)
+		assert.False(t, resp.IsDiscoveryConfigured)
+	})
+}
--- a/common/common.go
+++ b/common/common.go
@ -1,15 +1,20 @@
 package common

 import (
-	"errors"
+	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"

+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )

 // Component names
@ -416,3 +421,30 @@ const TokenVerificationError = "failed to verify the token"
 var TokenVerificationErr = errors.New(TokenVerificationError)

 var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")
+
+// Redis password consts
+const (
+	DefaultRedisInitialPasswordSecretName = "argocd-redis"
+	DefaultRedisInitialPasswordKey        = "auth"
+)
+
+/*
+SetOptionalRedisPasswordFromKubeConfig sets the optional Redis password if it exists in the k8s namespace's secrets.
+
+We specify kubeClient as kubernetes.Interface to allow for mocking in tests, but this should be treated as a kubernetes.Clientset param.
+*/
+func SetOptionalRedisPasswordFromKubeConfig(ctx context.Context, kubeClient kubernetes.Interface, namespace string, redisOptions *redis.Options) error {
+	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, DefaultRedisInitialPasswordSecretName, v1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get secret %s/%s: %w", namespace, DefaultRedisInitialPasswordSecretName, err)
+	}
+	if secret == nil {
+		return fmt.Errorf("failed to get secret %s/%s: secret is nil", namespace, DefaultRedisInitialPasswordSecretName)
+	}
+	_, ok := secret.Data[DefaultRedisInitialPasswordKey]
+	if !ok {
+		return fmt.Errorf("secret %s/%s does not contain key %s", namespace, DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey)
+	}
+	redisOptions.Password = string(secret.Data[DefaultRedisInitialPasswordKey])
+	return nil
+}
--- a/common/common_test.go
+++ b/common/common_test.go
@ -1,12 +1,18 @@
 package common

 import (
+	"context"
 	"fmt"
 	"os"
 	"testing"
 	"time"

+	"github.com/redis/go-redis/v9"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubefake "k8s.io/client-go/kubernetes/fake"
 )

 // Test env var not set for EnvGRPCKeepAliveMin
@ -44,3 +50,63 @@ func Test_GRPCKeepAliveMinIncorrectlySet(t *testing.T) {
 	grpcKeepAliveTime := GetGRPCKeepAliveTime()
 	assert.Equal(t, 2*grpcKeepAliveExpectedMin, grpcKeepAliveTime)
 }
+
+func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name, namespace, expectedPassword, expectedErr string
+		secret                                         *corev1.Secret
+	}{
+		{
+			name:             "Secret exists with correct key",
+			namespace:        "default",
+			expectedPassword: "password123",
+			expectedErr:      "",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{DefaultRedisInitialPasswordKey: []byte("password123")},
+			},
+		},
+		{
+			name:             "Secret does not exist",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("failed to get secret default/%s", DefaultRedisInitialPasswordSecretName),
+			secret:           nil,
+		},
+		{
+			name:             "Secret exists without correct key",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("secret default/%s does not contain key %s", DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey),
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			var (
+				ctx          = context.TODO()
+				kubeClient   = kubefake.NewSimpleClientset()
+				redisOptions = &redis.Options{}
+			)
+			if tc.secret != nil {
+				if _, err := kubeClient.CoreV1().Secrets(tc.namespace).Create(ctx, tc.secret, metav1.CreateOptions{}); err != nil {
+					t.Fatalf("Failed to create secret: %v", err)
+				}
+			}
+			err := SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, tc.namespace, redisOptions)
+			if tc.expectedErr != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedErr)
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.expectedPassword, redisOptions.Password)
+		})
+	}
+}
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@ -186,9 +186,9 @@ func NewApplicationController(
 		kubectl:                           kubectl,
 		applicationClientset:              applicationClientset,
 		repoClientset:                     repoClientset,
-		appRefreshQueue:                   workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_reconciliation_queue"),
-		appOperationQueue:                 workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_operation_processing_queue"),
-		projectRefreshQueue:               workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "project_reconciliation_queue"),
+		appRefreshQueue:                   workqueue.NewRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.RateLimitingQueueConfig{Name: "app_reconciliation_queue"}),
+		appOperationQueue:                 workqueue.NewRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.RateLimitingQueueConfig{Name: "app_operation_processing_queue"}),
+		projectRefreshQueue:               workqueue.NewRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.RateLimitingQueueConfig{Name: "project_reconciliation_queue"}),
 		appComparisonTypeRefreshQueue:     workqueue.NewRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig)),
 		db:                                db,
 		statusRefreshTimeout:              appResyncPeriod,
@ -537,6 +537,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 		warnOrphaned = proj.Spec.OrphanedResources.IsWarn()
 	}
 	ts.AddCheckpoint("get_orphaned_resources_ms")
+	managedResourcesKeys := make([]kube.ResourceKey, 0)
 	for i := range managedResources {
 		managedResource := managedResources[i]
 		delete(orphanedNodesMap, kube.NewResourceKey(managedResource.Group, managedResource.Kind, managedResource.Namespace, managedResource.Name))
@ -562,57 +563,61 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 				},
 			})
 		} else {
-			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool {
-				permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
-					clusters, err := ctrl.db.GetProjectClusters(context.TODO(), project)
-					if err != nil {
-						return nil, fmt.Errorf("failed to get project clusters: %w", err)
-					}
-					return clusters, nil
-				})
-				if !permitted {
-					return false
-				}
-				nodes = append(nodes, child)
-				return true
-			})
-			if err != nil {
-				return nil, fmt.Errorf("failed to iterate resource hierarchy: %w", err)
-			}
+			managedResourcesKeys = append(managedResourcesKeys, kube.GetResourceKey(live))
 		}
 	}
+	err = ctrl.stateCache.IterateHierarchyV2(a.Spec.Destination.Server, managedResourcesKeys, func(child appv1.ResourceNode, appName string) bool {
+		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
+			clusters, err := ctrl.db.GetProjectClusters(context.TODO(), project)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get project clusters: %w", err)
+			}
+			return clusters, nil
+		})
+		if !permitted {
+			return false
+		}
+		nodes = append(nodes, child)
+		return true
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to iterate resource hierarchy v2: %w", err)
+	}
 	ts.AddCheckpoint("process_managed_resources_ms")
 	orphanedNodes := make([]appv1.ResourceNode, 0)
+	orphanedNodesKeys := make([]kube.ResourceKey, 0)
 	for k := range orphanedNodesMap {
 		if k.Namespace != "" && proj.IsGroupKindPermitted(k.GroupKind(), true) && !isKnownOrphanedResourceExclusion(k, proj) {
-			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, k, func(child appv1.ResourceNode, appName string) bool {
-				belongToAnotherApp := false
-				if appName != "" {
-					appKey := ctrl.toAppKey(appName)
-					if _, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey); exists && err == nil {
-						belongToAnotherApp = true
-					}
-				}
-
-				if belongToAnotherApp {
-					return false
-				}
-
-				permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
-					return ctrl.db.GetProjectClusters(context.TODO(), project)
-				})
-
-				if !permitted {
-					return false
-				}
-				orphanedNodes = append(orphanedNodes, child)
-				return true
-			})
-			if err != nil {
-				return nil, err
-			}
+			orphanedNodesKeys = append(orphanedNodesKeys, k)
 		}
 	}
+	err = ctrl.stateCache.IterateHierarchyV2(a.Spec.Destination.Server, orphanedNodesKeys, func(child appv1.ResourceNode, appName string) bool {
+		belongToAnotherApp := false
+		if appName != "" {
+			appKey := ctrl.toAppKey(appName)
+			if _, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey); exists && err == nil {
+				belongToAnotherApp = true
+			}
+		}
+
+		if belongToAnotherApp {
+			return false
+		}
+
+		permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
+			return ctrl.db.GetProjectClusters(context.TODO(), project)
+		})
+
+		if !permitted {
+			return false
+		}
+		orphanedNodes = append(orphanedNodes, child)
+		return true
+	})
+	if err != nil {
+		return nil, err
+	}
+
 	var conditions []appv1.ApplicationCondition
 	if len(orphanedNodes) > 0 && warnOrphaned {
 		conditions = []appv1.ApplicationCondition{{
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
@ -193,14 +193,16 @@ func newFakeController(data *fakeData, repoErr error) *ApplicationController {
 	mockStateCache.On("GetNamespaceTopLevelResources", mock.Anything, mock.Anything).Return(response, nil)
 	mockStateCache.On("IterateResources", mock.Anything, mock.Anything).Return(nil)
 	mockStateCache.On("GetClusterCache", mock.Anything).Return(&clusterCacheMock, nil)
-	mockStateCache.On("IterateHierarchy", mock.Anything, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
-		key := args[1].(kube.ResourceKey)
+	mockStateCache.On("IterateHierarchyV2", mock.Anything, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+		keys := args[1].([]kube.ResourceKey)
 		action := args[2].(func(child v1alpha1.ResourceNode, appName string) bool)
-		appName := ""
-		if res, ok := data.namespacedResources[key]; ok {
-			appName = res.AppName
+		for _, key := range keys {
+			appName := ""
+			if res, ok := data.namespacedResources[key]; ok {
+				appName = res.AppName
+			}
+			_ = action(v1alpha1.ResourceNode{ResourceRef: v1alpha1.ResourceRef{Kind: key.Kind, Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
 		}
-		_ = action(v1alpha1.ResourceNode{ResourceRef: v1alpha1.ResourceRef{Kind: key.Kind, Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
 	}).Return(nil)
 	return ctrl
 }
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@ -120,6 +120,8 @@ type LiveStateCache interface {
 	GetClusterCache(server string) (clustercache.ClusterCache, error)
 	// Executes give callback against resource specified by the key and all its children
 	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string) bool) error
+	// Executes give callback against resources specified by the keys and all its children
+	IterateHierarchyV2(server string, keys []kube.ResourceKey, action func(child appv1.ResourceNode, appName string) bool) error
 	// Returns state of live nodes which correspond for target nodes of specified application.
 	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
 	// IterateResources iterates all resource stored in cache
@ -625,6 +627,17 @@ func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, a
 	return nil
 }

+func (c *liveStateCache) IterateHierarchyV2(server string, keys []kube.ResourceKey, action func(child appv1.ResourceNode, appName string) bool) error {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return err
+	}
+	clusterInfo.IterateHierarchyV2(keys, func(resource *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) bool {
+		return action(asResourceNode(resource), getApp(resource, namespaceResources))
+	})
+	return nil
+}
+
 func (c *liveStateCache) IterateResources(server string, callback func(res *clustercache.Resource, info *ResourceInfo)) error {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
--- a/controller/cache/mocks/LiveStateCache.go
+++ b/controller/cache/mocks/LiveStateCache.go
@ -236,6 +236,24 @@ func (_m *LiveStateCache) IterateHierarchy(server string, key kube.ResourceKey,
 	return r0
 }

+// IterateHierarchyV2 provides a mock function with given fields: server, keys, action
+func (_m *LiveStateCache) IterateHierarchyV2(server string, keys []kube.ResourceKey, action func(v1alpha1.ResourceNode, string) bool) error {
+	ret := _m.Called(server, keys, action)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IterateHierarchyV2")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(string, []kube.ResourceKey, func(v1alpha1.ResourceNode, string) bool) error); ok {
+		r0 = rf(server, keys, action)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
 // IterateResources provides a mock function with given fields: server, callback
 func (_m *LiveStateCache) IterateResources(server string, callback func(*cache.Resource, *controllercache.ResourceInfo)) error {
 	ret := _m.Called(server, callback)
--- a/controller/metrics/metrics_test.go
+++ b/controller/metrics/metrics_test.go
@ -380,7 +380,7 @@ func assertMetricsNotPrinted(t *testing.T, expectedLines, body string) {
 		if line == "" {
 			continue
 		}
-		assert.False(t, strings.Contains(body, expectedLines))
+		assert.NotContains(t, body, expectedLines)
 	}
 }

--- a/docs/developer-guide/extensions/proxy-extensions.md
+++ b/docs/developer-guide/extensions/proxy-extensions.md
@ -264,6 +264,10 @@ Note that additional pre-configured headers can be added to outgoing
 request. See [backend service headers](#extensionsbackendservicesheaders-list)
 section for more details.

+#### `Argocd-Username`
+
+Will be populated with the username logged in Argo CD.
+
 ### Multi Backend Use-Case

 In some cases when Argo CD is configured to sync with multiple remote
--- a/docs/developer-guide/release-process-and-cadence.md
+++ b/docs/developer-guide/release-process-and-cadence.md
@ -14,7 +14,10 @@ These are the upcoming releases dates:
 | v2.9    | Monday, Sep. 18, 2023 | Monday, Nov. 6, 2023 | [Leonardo Almeida](https://github.com/leoluz)         | [Leonardo Almeida](https://github.com/leoluz)         | [checklist](https://github.com/argoproj/argo-cd/issues/14078) |
 | v2.10   | Monday, Dec. 18, 2023 | Monday, Feb. 5, 2024 | [Katie Lamkin](https://github.com/kmlamkin9)          |                                                       | [checklist](https://github.com/argoproj/argo-cd/issues/16339) |
 | v2.11   | Friday, Apr. 5,  2024 | Monday, May 6, 2024  | [Pavel Kostohrys](https://github.com/pasha-codefresh) | [Pavel Kostohrys](https://github.com/pasha-codefresh) | [checklist](https://github.com/argoproj/argo-cd/issues/17726) |
-| v2.12   | Monday, Jun. 17, 2024 | Monday, Aug. 5, 2024 | 
+| v2.12   | Monday, Jun. 17, 2024 | Monday, Aug. 5, 2024 | [Ishita Sequeira](https://github.com/ishitasequeira) | [Pavel Kostohrys](https://github.com/pasha-codefresh) | [checklist](https://github.com/argoproj/argo-cd/issues/19063) |
+| v2.13   | Monday, Sep. 16, 2024 | Monday, Nov. 4, 2024 | | | |
+| v2.14   | Monday, Dec. 16, 2024 | Monday, Feb. 3, 2025 | | | |
+| v2.15   | Monday, Mar. 17, 2025 | Monday, May 5, 2025 | | | |

 Actual release dates might differ from the plan by a few days.

--- a/docs/operator-manual/argocd-cmd-params-cm.yaml
+++ b/docs/operator-manual/argocd-cmd-params-cm.yaml
@ -190,8 +190,16 @@ data:
  ## ApplicationSet Controller Properties
  # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
  applicationsetcontroller.enable.leader.election: "false"
-  # "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion), 'create-delete' (no update)"
-  applicationsetcontroller.policy: "sync"
+  # "Modify how application is synced between the generator and the cluster. Default is '' (empty), which means AppSets
+  # will default to the 'sync' policy (create & update & delete). Explicitly setting the value prevents AppSet-level
+  # policy overrides unless overrides are explicitly enabled (see option below). Explicit options are:
+  # 'create-only', 'create-update' (no deletion), 'create-delete' (no update)"
+  applicationsetcontroller.policy: ""
+  # If applicationsetcontroller.policy is empty, this flag has no effect. If applicationsetcontroller.policy is set,
+  # this flag controls whether the policy set in the controller can be overridden by the ApplicationSet resource
+  # (i.e. the spec.syncPlicy.applicationSync field). Set it to "true" to allow overrides. "" or "false" will disable
+  # overrides. (default "")
+  applicationsetcontroller.enable.policy.override: ""
  # Print debug logs. Takes precedence over loglevel
  applicationsetcontroller.debug: "false"
  # Set the logging format. One of: text|json (default "text")
--- a/docs/operator-manual/cluster-bootstrapping.md
+++ b/docs/operator-manual/cluster-bootstrapping.md
@ -119,4 +119,29 @@ metadata:
  - resources-finalizer.argocd.argoproj.io
 spec:
 ...
-``` 
+```
+
+### Ignoring differences in child applications
+
+To allow changes in child apps without triggering an out-of-sync status, or modification for debugging etc, the app of apps pattern works with [diff customization](../user-guide/diffing/). The example below shows how to ignore changes to syncPolicy and other common values.
+
+```yaml
+spec:
+  ...
+  syncPolicy:
+    ...
+    syncOptions:
+      - RespectIgnoreDifferences=true
+    ...
+  ignoreDifferences:
+    - group: "*"
+      kind: "Application"
+      namespace: "*"
+      jsonPointers:
+        # Allow manually disabling auto sync for apps, useful for debugging.
+        - /spec/syncPolicy/automated
+        # These are automatically updated on a regular basis. Not ignoring last applied configuration since it's used for computing diffs after normalization.
+        - /metadata/annotations/argocd.argoproj.io~1refresh
+        - /operation
+  ...
+```
--- a/docs/operator-manual/upgrading/2.12-2.13.md
+++ b/docs/operator-manual/upgrading/2.12-2.13.md
@ -0,0 +1,47 @@
+# v2.12 to 2.13
+
+## Custom Resource Actions for Flux Resources
+
+[`Custom Resource Actions`](../resource_actions.md#Custom-Resource-Actions) have been added for Flux Resources.  
+The following actions are now available:
+
+| Custom Resource       | Supported Actions                |
+|-----------------------|----------------------------------|
+| HelmRelease           | `Suspend`, `Resume`, `Reconcile` |
+| ImageRepository       | `Suspend`, `Resume`, `Reconcile` |
+| ImageUpdateAutomation | `Suspend`, `Resume`, `Reconcile` |
+| Kustomziation         | `Suspend`, `Resume`, `Reconcile` |
+| Alert                 | `Suspend`, `Resume`              |
+| Provider              | `Suspend`, `Resume`              |
+| Receiver              | `Suspend`, `Resume`, `Reconcile` |
+| Bucket                | `Suspend`, `Resume`, `Reconcile` |
+| GitRepository         | `Suspend`, `Resume`, `Reconcile` |
+| HelmChart             | `Suspend`, `Resume`, `Reconcile` |
+| HelmRepository        | `Suspend`, `Resume`, `Reconcile` |
+| OCIRepository         | `Suspend`, `Resume`, `Reconcile` |
+
+If you want to use these actions do not forget to update the permissions (RBAC) for your Argo CD instance.
+
+## Custom Resource Health for Flux Resources
+
+[`Custom Resource Health`](../health.md#custom-health-checks) has been added for Flux Resources.  
+The following Flux resources now support health checks:
+- HelmRelease
+- ImagePolicy
+- ImageRepository
+- ImageUpdateAutomation
+- Kustomization
+- Receiver
+- Bucket
+- GitRepository
+- HelmChart
+- HelmRepository
+- OCIRepository
+
+## Upgraded Dex Version
+
+Dex [v2.39.0](https://github.com/dexidp/dex/releases/tag/v2.39.0) included a breaking change for the LDAP connector:
+
+> The validation of username and password in the LDAP connector is much more strict now.
+> As of today, Dex uses the EscapeFilter function to check for special characters in credentials and prevent injections by denying such requests.
+
--- a/docs/operator-manual/upgrading/overview.md
+++ b/docs/operator-manual/upgrading/overview.md
@ -37,6 +37,7 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/<v

 <hr/>

+* [v2.12 to v2.13](./2.12-2.13.md)
 * [v2.11 to v2.12](./2.11-2.12.md)
 * [v2.10 to v2.11](./2.10-2.11.md)
 * [v2.9 to v2.10](./2.9-2.10.md)
--- a/docs/snyk/index.md
+++ b/docs/snyk/index.md
@ -27,12 +27,12 @@ recent minor releases.

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.12.0-rc3/argocd-test.html) | 0 | 0 | 7 | 0 |
+| [go.mod](v2.12.0-rc3/argocd-test.html) | 0 | 0 | 8 | 0 |
 | [ui/yarn.lock](v2.12.0-rc3/argocd-test.html) | 0 | 0 | 1 | 0 |
 | [dex:v2.38.0](v2.12.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 5 |
 | [haproxy:2.6.17-alpine](v2.12.0-rc3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 2 |
 | [redis:7.0.15-alpine](v2.12.0-rc3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [argocd:v2.12.0-rc3](v2.12.0-rc3/quay.io_argoproj_argocd_v2.12.0-rc3.html) | 0 | 0 | 3 | 11 |
+| [argocd:v2.12.0-rc3](v2.12.0-rc3/quay.io_argoproj_argocd_v2.12.0-rc3.html) | 0 | 0 | 4 | 11 |
 | [redis:7.0.15-alpine](v2.12.0-rc3/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
 | [install.yaml](v2.12.0-rc3/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](v2.12.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - |
@ -41,7 +41,7 @@ recent minor releases.

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.11.4/argocd-test.html) | 0 | 1 | 8 | 0 |
+| [go.mod](v2.11.4/argocd-test.html) | 0 | 1 | 9 | 0 |
 | [ui/yarn.lock](v2.11.4/argocd-test.html) | 0 | 0 | 1 | 0 |
 | [dex:v2.38.0](v2.11.4/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 5 |
 | [haproxy:2.6.14-alpine](v2.11.4/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 5 |
@ -54,7 +54,7 @@ recent minor releases.

 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.10.13/argocd-test.html) | 0 | 1 | 9 | 0 |
+| [go.mod](v2.10.13/argocd-test.html) | 0 | 1 | 10 | 0 |
 | [ui/yarn.lock](v2.10.13/argocd-test.html) | 0 | 0 | 1 | 0 |
 | [dex:v2.37.0](v2.10.13/ghcr.io_dexidp_dex_v2.37.0.html) | 1 | 1 | 10 | 5 |
 | [haproxy:2.6.14-alpine](v2.10.13/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 5 |
--- a/docs/snyk/master/argocd-iac-install.html
+++ b/docs/snyk/master/argocd-iac-install.html
--- a/docs/snyk/master/argocd-iac-namespace-install.html
+++ b/docs/snyk/master/argocd-iac-namespace-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:18:51 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:09 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/master/argocd-test.html
+++ b/docs/snyk/master/argocd-test.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:16:37 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:03 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
--- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html
+++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.38.0.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:16:45 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:10 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -3665,6 +3665,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
+++ b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:16:53 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:15 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@ -1100,6 +1100,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
+++ b/docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:16:58 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:21 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html
+++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:17:17 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:38 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -902,7 +902,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        krb5/libgssapi-krb5-2@1.20.1-6ubuntu2
                                        
@ -1619,7 +1619,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3t64@3.0.13-0ubuntu3.1
                                        
@ -1835,7 +1835,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3t64@3.0.13-0ubuntu3.1
                                        
@ -2059,7 +2059,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3t64@3.0.13-0ubuntu3.1
                                        
@ -2308,7 +2308,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        krb5/libgssapi-krb5-2@1.20.1-6ubuntu2
                                        
@ -2516,7 +2516,7 @@
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|quay.io/argoproj/argocd@latest
                                         <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.4
                                         <span class="list-paths__item__arrow">›</span> 
                                        krb5/libgssapi-krb5-2@1.20.1-6ubuntu2
                                        
--- a/docs/snyk/master/redis_7.0.15-alpine.html
+++ b/docs/snyk/master/redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:17:22 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:17:42 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.10.13/argocd-iac-install.html
+++ b/docs/snyk/v2.10.13/argocd-iac-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:25:46 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:25:30 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.10.13/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.10.13/argocd-iac-namespace-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:25:56 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:25:38 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.10.13/argocd-test.html
+++ b/docs/snyk/v2.10.13/argocd-test.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="11 known vulnerabilities found in 183 vulnerable dependency paths.">
+  <meta name="description" content="12 known vulnerabilities found in 184 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:23:50 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:23:39 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -467,8 +467,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>183 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>12</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>184 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2042</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -3416,6 +3416,118 @@
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMWHILPGITURLS-6069811">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.10.13/ghcr.io_dexidp_dex_v2.37.0.html
+++ b/docs/snyk/v2.10.13/ghcr.io_dexidp_dex_v2.37.0.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:23:59 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:23:45 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -5452,6 +5452,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.10.13/haproxy_2.6.14-alpine.html
+++ b/docs/snyk/v2.10.13/haproxy_2.6.14-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:24:03 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:23:48 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@ -2399,6 +2399,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.10.13/quay.io_argoproj_argocd_v2.10.13.html
+++ b/docs/snyk/v2.10.13/quay.io_argoproj_argocd_v2.10.13.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="31 known vulnerabilities found in 189 vulnerable dependency paths.">
+  <meta name="description" content="32 known vulnerabilities found in 190 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:24:22 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:24:05 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -470,8 +470,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>31</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>189 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>32</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>190 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2278</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -1129,6 +1129,116 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v2.10.13/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@* and github.com/rs/cors@v1.9.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@v1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.10.13/redis_7.0.15-alpine.html
+++ b/docs/snyk/v2.10.13/redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:24:27 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:24:10 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.11.4/argocd-iac-install.html
+++ b/docs/snyk/v2.11.4/argocd-iac-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:23:30 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:23:21 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.11.4/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.11.4/argocd-iac-namespace-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:23:38 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:23:30 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.11.4/argocd-test.html
+++ b/docs/snyk/v2.11.4/argocd-test.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="10 known vulnerabilities found in 177 vulnerable dependency paths.">
+  <meta name="description" content="11 known vulnerabilities found in 178 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:21:32 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:28 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -467,8 +467,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>10</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>177 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>178 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2041</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -3201,6 +3201,118 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.11.4/ghcr.io_dexidp_dex_v2.38.0.html
+++ b/docs/snyk/v2.11.4/ghcr.io_dexidp_dex_v2.38.0.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:21:39 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:33 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -3665,6 +3665,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.11.4/haproxy_2.6.14-alpine.html
+++ b/docs/snyk/v2.11.4/haproxy_2.6.14-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:21:46 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:39 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@ -2399,6 +2399,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.11.4/quay.io_argoproj_argocd_v2.11.4.html
+++ b/docs/snyk/v2.11.4/quay.io_argoproj_argocd_v2.11.4.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="31 known vulnerabilities found in 189 vulnerable dependency paths.">
+  <meta name="description" content="32 known vulnerabilities found in 190 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:22:06 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:57 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -470,8 +470,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>31</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>189 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>32</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>190 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2280</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -1129,6 +1129,116 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v2.11.4/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@* and github.com/rs/cors@v1.9.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@v1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.11.4/redis_7.0.15-alpine.html
+++ b/docs/snyk/v2.11.4/redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:22:10 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:22:03 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.12.0-rc3/argocd-iac-install.html
+++ b/docs/snyk/v2.12.0-rc3/argocd-iac-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:21:07 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:07 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.12.0-rc3/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.12.0-rc3/argocd-iac-namespace-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:21:17 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:21:15 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.12.0-rc3/argocd-test.html
+++ b/docs/snyk/v2.12.0-rc3/argocd-test.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="8 known vulnerabilities found in 26 vulnerable dependency paths.">
+  <meta name="description" content="9 known vulnerabilities found in 27 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:02 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:18 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -467,8 +467,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>8</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>26 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>9</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>27 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2059</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -538,6 +538,118 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.12.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html
+++ b/docs/snyk/v2.12.0-rc3/ghcr.io_dexidp_dex_v2.38.0.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:07 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:24 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -3665,6 +3665,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.12.0-rc3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
+++ b/docs/snyk/v2.12.0-rc3/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:13 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:27 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@ -1100,6 +1100,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.12.0-rc3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
+++ b/docs/snyk/v2.12.0-rc3/public.ecr.aws_docker_library_redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:17 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:30 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.12.0-rc3/quay.io_argoproj_argocd_v2.12.0-rc3.html
+++ b/docs/snyk/v2.12.0-rc3/quay.io_argoproj_argocd_v2.12.0-rc3.html
@ -7,7 +7,7 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
-  <meta name="description" content="21 known vulnerabilities found in 98 vulnerable dependency paths.">
+  <meta name="description" content="23 known vulnerabilities found in 100 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:42 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:45 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -470,8 +470,8 @@
              </div>
    
              <div class="meta-counts">
-                <div class="meta-count"><span>21</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>98 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>100 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>2290</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
@ -600,6 +600,80 @@
                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-XZUTILS-6714568">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">CVE-2024-39894</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v2.12.0-rc3/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: ubuntu:24.04
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            openssh/openssh-client
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                docker-image|quay.io/argoproj/argocd@v2.12.0-rc3 and openssh/openssh-client@1:9.6p1-3ubuntu13.3
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        docker-image|quay.io/argoproj/argocd@v2.12.0-rc3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        openssh/openssh-client@1:9.6p1-3ubuntu13.3
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="nvd-description">NVD Description</h2>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p>
+        <p>OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>Ubuntu:24.04</code> <code>openssh</code> to version 1:9.6p1-3ubuntu13.4 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-39894">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-39894</a></li>
+        <li><a href="https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html">https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html</a></li>
+        <li><a href="https://www.openssh.com/txt/release-9.8">https://www.openssh.com/txt/release-9.8</a></li>
+        <li><a href="https://www.openwall.com/lists/oss-security/2024/07/02/1">https://www.openwall.com/lists/oss-security/2024/07/02/1</a></li>
+        <li><a href="http://www.openwall.com/lists/oss-security/2024/07/03/6">http://www.openwall.com/lists/oss-security/2024/07/03/6</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0004/">https://security.netapp.com/advisory/ntap-20240712-0004/</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-OPENSSH-7417684">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Information Exposure</h2>
@ -1031,6 +1105,116 @@
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
            </div>
        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v2.12.0-rc3/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@* and github.com/rs/cors@v1.9.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@v1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
--- a/docs/snyk/v2.12.0-rc3/redis_7.0.15-alpine.html
+++ b/docs/snyk/v2.12.0-rc3/redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:19:47 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:19:49 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.9.18/argocd-iac-install.html
+++ b/docs/snyk/v2.9.18/argocd-iac-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:28:09 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:27:42 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.9.18/argocd-iac-namespace-install.html
+++ b/docs/snyk/v2.9.18/argocd-iac-namespace-install.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:28:19 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:27:50 am (UTC+00:00)</p>
              </div>
                <div class="source-panel">
                  <span>Scanned the following path:</span>
--- a/docs/snyk/v2.9.18/argocd-test.html
+++ b/docs/snyk/v2.9.18/argocd-test.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:26:19 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:25:55 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
--- a/docs/snyk/v2.9.18/ghcr.io_dexidp_dex_v2.37.0.html
+++ b/docs/snyk/v2.9.18/ghcr.io_dexidp_dex_v2.37.0.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:26:25 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:26:03 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -5452,6 +5452,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.9.18/haproxy_2.6.14-alpine.html
+++ b/docs/snyk/v2.9.18/haproxy_2.6.14-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:26:29 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:26:06 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following path:</span>
@ -2399,6 +2399,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/docs/snyk/v2.9.18/quay.io_argoproj_argocd_v2.9.18.html
+++ b/docs/snyk/v2.9.18/quay.io_argoproj_argocd_v2.9.18.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:26:48 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:26:24 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
--- a/docs/snyk/v2.9.18/redis_7.0.15-alpine.html
+++ b/docs/snyk/v2.9.18/redis_7.0.15-alpine.html
@ -456,7 +456,7 @@
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
-                <p class="timestamp">July 7th 2024, 12:26:52 am (UTC+00:00)</p>
+                <p class="timestamp">July 14th 2024, 12:26:28 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
@ -684,6 +684,7 @@
        <li><a href="https://www.openssl.org/news/secadv/20240627.txt">https://www.openssl.org/news/secadv/20240627.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/27/1">http://www.openwall.com/lists/oss-security/2024/06/27/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/06/28/4">http://www.openwall.com/lists/oss-security/2024/06/28/4</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20240712-0005/">https://security.netapp.com/advisory/ntap-20240712-0005/</a></li>
        </ul>
        
              <hr/>
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/antonmedv/expr v1.15.2
-	github.com/argoproj/gitops-engine v0.7.1-0.20240628155502-fa0e8d60a3a4
+	github.com/argoproj/gitops-engine v0.7.1-0.20240718175351-6b2984ebc470
 	github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
 	github.com/aws/aws-sdk-go v1.50.8
@ -247,7 +247,7 @@ require (
 	github.com/opsgenie/opsgenie-go-sdk-v2 v1.0.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.5.0
 	github.com/prometheus/common v0.45.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -694,8 +694,8 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20240628155502-fa0e8d60a3a4 h1:xctch+EYCzsz012kNrdK3eRALf+/ZLhWJAWG0xfxpl8=
-github.com/argoproj/gitops-engine v0.7.1-0.20240628155502-fa0e8d60a3a4/go.mod h1:xMIbuLg9Qj2e0egTy+8NcukbhRaVmWwK9vm3aAQZoi4=
+github.com/argoproj/gitops-engine v0.7.1-0.20240718175351-6b2984ebc470 h1:RUo6je4n+FgNEkGsONhwxUtT67YqyEtrvMNd+t8pKSo=
+github.com/argoproj/gitops-engine v0.7.1-0.20240718175351-6b2984ebc470/go.mod h1:xMIbuLg9Qj2e0egTy+8NcukbhRaVmWwK9vm3aAQZoi4=
 github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621 h1:Yg1nt+D2uDK1SL2jSlfukA4yc7db184TTN7iWy3voRE=
 github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621/go.mod h1:N0A4sEws2soZjEpY4hgZpQS8mRIEw6otzwfkgc3g9uQ=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
--- a/manifests/base/dex/argocd-dex-server-deployment.yaml
+++ b/manifests/base/dex/argocd-dex-server-deployment.yaml
@ -37,7 +37,7 @@ spec:
            type: RuntimeDefault
      containers:
      - name: dex
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.40.0
        imagePullPolicy: Always
        command: [/shared/argocd-dex, rundex]
        env:
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@ -22801,7 +22801,7 @@ spec:
              key: dexserver.disable.tls
              name: argocd-cmd-params-cm
              optional: true
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.40.0
        imagePullPolicy: Always
        name: dex
        ports:
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@ -1788,7 +1788,7 @@ spec:
              key: dexserver.disable.tls
              name: argocd-cmd-params-cm
              optional: true
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.40.0
        imagePullPolicy: Always
        name: dex
        ports:
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@ -21918,7 +21918,7 @@ spec:
              key: dexserver.disable.tls
              name: argocd-cmd-params-cm
              optional: true
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.40.0
        imagePullPolicy: Always
        name: dex
        ports:
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@ -905,7 +905,7 @@ spec:
              key: dexserver.disable.tls
              name: argocd-cmd-params-cm
              optional: true
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.40.0
        imagePullPolicy: Always
        name: dex
        ports:
--- a/pkg/apis/application/v1alpha1/types_test.go
+++ b/pkg/apis/application/v1alpha1/types_test.go
@ -7,7 +7,6 @@ import (
 	"os"
 	"path"
 	"reflect"
-	"strings"
 	"testing"
 	"time"

@ -443,7 +442,7 @@ func TestAppProject_IsDestinationPermitted_PermitOnlyProjectScopedClusters(t *te
 		return nil, errors.New("some error")
 	})
 	require.Error(t, err)
-	assert.True(t, strings.Contains(err.Error(), "could not retrieve project clusters"))
+	assert.Contains(t, err.Error(), "could not retrieve project clusters")
 }

 func TestAppProject_IsGroupKindPermitted(t *testing.T) {
--- a/reposerver/cache/cache_test.go
+++ b/reposerver/cache/cache_test.go
@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 	"testing"
 	"time"

@ -337,7 +336,7 @@ func TestCachedManifestResponse_ShallowCopyExpectedFields(t *testing.T) {
 	// go do that first :)

 	for _, expectedField := range expectedFields {
-		assert.Truef(t, strings.Contains(string(str), "\""+expectedField+"\""), "Missing field: %s", expectedField)
+		assert.Containsf(t, string(str), "\""+expectedField+"\"", "Missing field: %s", expectedField)
 	}
 }

--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@ -340,7 +340,7 @@ func TestGenerateManifests_EmptyCache(t *testing.T) {

 	res, err := service.GenerateManifest(context.Background(), &q)
 	require.NoError(t, err)
-	assert.Positive(t, len(res.Manifests))
+	assert.NotEmpty(t, res.Manifests)
 	mockCache.mockCache.AssertCacheCalledTimes(t, &repositorymocks.CacheCallCounts{
 		ExternalSets:    2,
 		ExternalGets:    2,
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/action_test.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/action_test.yaml
@ -0,0 +1,35 @@
+discoveryTests:
+- inputPath: testdata/initial_helmrelease.yaml
+  result:
+    - name: reconcile
+      disabled: false
+    - name: suspend
+      disabled: false
+    - name: resume
+      disabled: true
+- inputPath: testdata/suspended_helmrelease.yaml
+  result:
+    - name: reconcile
+      disabled: true
+    - name: suspend
+      disabled: true
+    - name: resume
+      disabled: false
+- inputPath: testdata/resumed_helmrelease.yaml
+  result:
+    - name: reconcile
+      disabled: false
+    - name: suspend
+      disabled: false
+    - name: resume
+      disabled: true
+actionTests:
+- action: reconcile
+  inputPath: testdata/initial_helmrelease.yaml
+  expectedOutputPath: testdata/reconciled_helmrelease.yaml
+- action: suspend
+  inputPath: testdata/initial_helmrelease.yaml
+  expectedOutputPath: testdata/suspended_helmrelease.yaml
+- action: resume
+  inputPath: testdata/suspended_helmrelease.yaml
+  expectedOutputPath: testdata/resumed_helmrelease.yaml
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/discovery.lua
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/discovery.lua
@ -0,0 +1,18 @@
+local actions = {}
+
+actions["reconcile"] = {["disabled"] = true}
+actions["suspend"] = {["disabled"] = true}
+actions["resume"] = {["disabled"] = true}
+
+local suspend = false
+if obj.spec.suspend ~= nil then
+    suspend = obj.spec.suspend
+end
+if suspend then
+    actions["resume"]["disabled"] = false
+else
+    actions["reconcile"]["disabled"] = false
+    actions["suspend"]["disabled"] = false
+end
+
+return actions
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/reconcile/action.lua
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/reconcile/action.lua
@ -0,0 +1,7 @@
+local os = require("os")
+if obj.metadata.annotations == nil then
+    obj.metadata.annotations = {}
+end
+obj.metadata.annotations["reconcile.fluxcd.io/requestedAt"] = "By Argo CD at: " .. os.date("!%Y-%m-%dT%X")
+
+return obj
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/resume/action.lua
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/resume/action.lua
@ -0,0 +1,5 @@
+if obj.spec.suspend ~= nil and obj.spec.suspend then
+    obj.spec.suspend = false
+end
+
+return obj
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/suspend/action.lua
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/suspend/action.lua
@ -0,0 +1,3 @@
+obj.spec.suspend = true
+
+return obj
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/initial_helmrelease.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/initial_helmrelease.yaml
@ -0,0 +1,33 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/reconciled_helmrelease.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/reconciled_helmrelease.yaml
@ -0,0 +1,35 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+  annotations:
+    reconcile.fluxcd.io/requestedAt: 'By Argo CD at: 0001-01-01T00:00:00'
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/resumed_helmrelease.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/resumed_helmrelease.yaml
@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  suspend: false
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/suspended_helmrelease.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/actions/testdata/suspended_helmrelease.yaml
@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  suspend: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/health.lua
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/health.lua
@ -0,0 +1,40 @@
+local hs = {}
+if obj.status ~= nil then
+  if obj.status.conditions ~= nil then
+    local numProgressing = 0
+    local numSucceeded = 0
+    local message = ""
+    for _, condition in ipairs(obj.status.conditions) do
+      if condition.type == "Ready" then
+        if condition.status == "True" then
+          numSucceeded = numSucceeded + 1
+        elseif condition.status == "Unknown" then
+          numProgressing = numProgressing + 1
+        end
+        message = condition.reason
+      elseif condition.type == "Reconciling" and condition.status == "True" then
+        numProgressing = numProgressing + 1
+      elseif condition.type == "Released" or condition.type == "TestSuccess" then
+        if condition.status == "True" then
+          numSucceeded = numSucceeded + 1
+        end
+      end
+    end
+    if(numProgressing == 2) then
+      hs.message = message
+      hs.status = "Progressing"
+      return hs
+    elseif(numSucceeded == 2) then
+      hs.message = message
+      hs.status = "Healthy"
+      return hs
+    else
+      hs.message = message
+      hs.status = "Degraded"
+      return hs
+    end
+  end
+end
+hs.message = "Status unknown"
+hs.status = "Progressing"
+return hs
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/health_test.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/health_test.yaml
@ -0,0 +1,13 @@
+tests:
+  - healthStatus:
+      status: Progressing
+      message: Progressing
+    inputPath: testdata/progressing.yaml
+  - healthStatus:
+      status: Degraded
+      message: RollbackSucceeded
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Healthy
+      message: InstallSucceeded
+    inputPath: testdata/healthy.yaml
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/degraded.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/degraded.yaml
@ -0,0 +1,70 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
+status:
+  conditions:
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm rollback to previous release default/podinfo.v24 with
+      chart podinfo@6.5.4 succeeded
+    observedGeneration: 5
+    reason: ProgressingWithRetry
+    status: "True"
+    type: Reconciling
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm rollback to previous release default/podinfo.v24 with
+      chart podinfo@6.5.4 succeeded
+    observedGeneration: 5
+    reason: RollbackSucceeded
+    status: "False"
+    type: Ready
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: "Helm upgrade failed for release default/podinfo with chart
+      podinfo@6.5.4: cannot patch \"podinfo\" with kind Deployment: admission webhook
+      \"validate.kyverno.svc-fail\" denied the request: \n\nresource Deployment/default/podinfo
+      was blocked due to the following policies \n\ndisallow-privilege-escalation:\n
+      \ autogen-privilege-escalation: 'validation error: Privilege escalation is disallowed.\n
+      \   The fields spec.containers[*].securityContext.allowPrivilegeEscalation,
+      spec.initContainers[*].securityContext.allowPrivilegeEscalation,\n    and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
+      must\n    be set to `false`. rule autogen-privilege-escalation failed at path
+      /spec/template/spec/containers/0/securityContext/allowPrivilegeEscalation/'"
+    observedGeneration: 5
+    reason: UpgradeFailed
+    status: "False"
+    type: Released
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm rollback to previous release default/podinfo.v24 with
+      chart podinfo@6.5.4 succeeded
+    observedGeneration: 5
+    reason: RollbackSucceeded
+    status: "True"
+    type: Remediated
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/healthy.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/healthy.yaml
@ -0,0 +1,49 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
+status:
+  conditions:
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm install succeeded for release default/podinfo.v1 with
+      chart podinfo@6.5.4
+    observedGeneration: 2
+    reason: InstallSucceeded
+    status: "True"
+    type: Ready
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm install succeeded for release default/podinfo.v1 with
+      chart podinfo@6.5.4
+    observedGeneration: 1
+    reason: InstallSucceeded
+    status: "True"
+    type: Released
--- a/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/progressing.yaml
+++ b/resource_customizations/helm.toolkit.fluxcd.io/HelmRelease/testdata/progressing.yaml
@ -0,0 +1,54 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 5m
+  chart:
+    spec:
+      chart: podinfo
+      version: '6.5.*'
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+      interval: 5m
+  releaseName: podinfo
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  test:
+    enable: true
+  driftDetection:
+    mode: enabled
+    ignore:
+    - paths: ["/spec/replicas"]
+      target:
+        kind: Deployment
+  values:
+    replicaCount: 2
+status:
+  conditions:
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Running 'upgrade' action with timeout of 5m0s
+    observedGeneration: 3
+    reason: Progressing
+    status: "True"
+    type: Reconciling
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Running 'upgrade' action with timeout of 5m0s
+    observedGeneration: 3
+    reason: Progressing
+    status: Unknown
+    type: Ready
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Helm install succeeded for release default/podinfo.v1 with
+      chart podinfo@6.5.4
+    observedGeneration: 1
+    reason: InstallSucceeded
+    status: "True"
+    type: Released
--- a/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/health.lua
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/health.lua
@ -0,0 +1,38 @@
+local hs = {}
+if obj.status ~= nil then
+  if obj.status.conditions ~= nil then
+    local numProgressing = 0
+    local numSucceeded = 0
+    local message = ""
+    for _, condition in ipairs(obj.status.conditions) do
+      if condition.type == "Ready" then
+        if condition.status == "True" then
+          numSucceeded = numSucceeded + 1
+        elseif condition.status == "False" then
+          numProgressing = numProgressing + 1
+        end
+        message = condition.reason
+      elseif condition.type == "Reconciling" and condition.status == "True" then
+        if condition.reason == "NewGeneration" or condition.reason == "AccessingRepository" or condition.reason == "ApplyingPolicy" then
+          numProgressing = numProgressing + 1
+        end
+      end
+    end
+    if(numProgressing == 2) then
+      hs.message = message
+      hs.status = "Progressing"
+      return hs
+    elseif(numSucceeded == 1) then
+      hs.message = message
+      hs.status = "Healthy"
+      return hs
+    else
+      hs.message = message
+      hs.status = "Degraded"
+      return hs
+    end
+  end
+end
+hs.message = "Status unknown"
+hs.status = "Progressing"
+return hs
--- a/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/health_test.yaml
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/health_test.yaml
@ -0,0 +1,13 @@
+tests:
+  # - healthStatus:
+  #     status: Progressing
+  #     message: DependencyNotReady
+  #   inputPath: testdata/progressing.yaml
+  - healthStatus:
+      status: Degraded
+      message: DependencyNotReady
+    inputPath: testdata/degraded.yaml
+  - healthStatus:
+      status: Healthy
+      message: Succeeded
+    inputPath: testdata/healthy.yaml
--- a/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/degraded.yaml
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/degraded.yaml
@ -0,0 +1,26 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: podinfo
+  namespace: argocd
+spec:
+  imageRepositoryRef:
+    name: podinfo-faulty
+  policy:
+    semver:
+      range: x.x.x
+status:
+  conditions:
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: 'processing object: new generation 1 -> 2'
+    observedGeneration: 2
+    reason: ProgressingWithRetry
+    status: "True"
+    type: Reconciling
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: 'failed to get the referred ImageRepository: referenced ImageRepository
+      does not exist: ImageRepository.image.toolkit.fluxcd.io "podinfo-faulty" not found'
+    observedGeneration: 2
+    reason: DependencyNotReady
+    status: "False"
+    type: Ready
--- a/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/healthy.yaml
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/healthy.yaml
@ -0,0 +1,19 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: podinfo
+  namespace: argocd
+spec:
+  imageRepositoryRef:
+    name: podinfo
+  policy:
+    semver:
+      range: x.x.x
+status:
+  conditions:
+  - lastTransitionTime: "2024-07-16T12:00:00Z"
+    message: Latest image tag for 'stefanprodan/podinfo' resolved to 5.1.4
+    observedGeneration: 1
+    reason: Succeeded
+    status: "True"
+    type: Ready
--- a/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/progressing.yaml
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImagePolicy/testdata/progressing.yaml
@ -0,0 +1,13 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: podinfo
+  namespace: argocd
+spec:
+  imageRepositoryRef:
+    name: podinfo
+  policy:
+    semver:
+      range: x.x.x
+status:
+  conditions: []
--- a/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/action_test.yaml
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/action_test.yaml
@ -0,0 +1,35 @@
+discoveryTests:
+- inputPath: testdata/initial_imagerepository.yaml
+  result:
+    - name: reconcile
+      disabled: false
+    - name: suspend
+      disabled: false
+    - name: resume
+      disabled: true
+- inputPath: testdata/suspended_imagerepository.yaml
+  result:
+    - name: reconcile
+      disabled: true
+    - name: suspend
+      disabled: true
+    - name: resume
+      disabled: false
+- inputPath: testdata/resumed_imagerepository.yaml
+  result:
+    - name: reconcile
+      disabled: false
+    - name: suspend
+      disabled: false
+    - name: resume
+      disabled: true
+actionTests:
+- action: reconcile
+  inputPath: testdata/initial_imagerepository.yaml
+  expectedOutputPath: testdata/reconciled_imagerepository.yaml
+- action: suspend
+  inputPath: testdata/initial_imagerepository.yaml
+  expectedOutputPath: testdata/suspended_imagerepository.yaml
+- action: resume
+  inputPath: testdata/suspended_imagerepository.yaml
+  expectedOutputPath: testdata/resumed_imagerepository.yaml
--- a/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/discovery.lua
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/discovery.lua
@ -0,0 +1,18 @@
+local actions = {}
+
+actions["reconcile"] = {["disabled"] = true}
+actions["suspend"] = {["disabled"] = true}
+actions["resume"] = {["disabled"] = true}
+
+local suspend = false
+if obj.spec.suspend ~= nil then
+    suspend = obj.spec.suspend
+end
+if suspend then
+    actions["resume"]["disabled"] = false
+else
+    actions["reconcile"]["disabled"] = false
+    actions["suspend"]["disabled"] = false
+end
+
+return actions
--- a/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/reconcile/action.lua
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/reconcile/action.lua
@ -0,0 +1,7 @@
+local os = require("os")
+if obj.metadata.annotations == nil then
+    obj.metadata.annotations = {}
+end
+obj.metadata.annotations["reconcile.fluxcd.io/requestedAt"] = "By Argo CD at: " .. os.date("!%Y-%m-%dT%X")
+
+return obj
--- a/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/resume/action.lua
+++ b/resource_customizations/image.toolkit.fluxcd.io/ImageRepository/actions/resume/action.lua
@ -0,0 +1,5 @@
+if obj.spec.suspend ~= nil and obj.spec.suspend then
+    obj.spec.suspend = false
+end
+
+return obj
--- a/Show more
+++ b/Show more