Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22
argo-cd/SECURITY.md
Michael Crenshaw 21b826e204
docs: Revise vulnerability reporting and remove bounty details (#27212) 
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
2026-04-07 14:23:42 -04:00

89 lines
4.5 KiB
Markdown
Raw Blame History

# Security Policy for Argo CD
Version: **v1.5 (2023-03-06)**
## Preface
As a deployment tool, Argo CD needs to have production access which makes
security a very important topic. The Argoproj team takes security very
seriously and is continuously working on improving it.
## A word about security scanners
Many organisations these days employ security scanners to validate their
container images before letting them on their clusters, and that is a good
thing. However, the quality and results of these scanners vary greatly,
many of them produce false positives and require people to look at the
issues reported and validate them for correctness. A great example of that
is, that some scanners report kernel vulnerabilities for container images
just because they are derived from some distribution.
We kindly ask you to not raise issues or contact us regarding any issues
that are found by your security scanner. Many of those produce a lot of false
positives, and many of these issues don't affect Argo CD. We do have scanners
in place for our code, dependencies and container images that we publish. We
are well aware of the issues that may affect Argo CD and are constantly
working on the remediation of those that affect Argo CD and our users.
If you believe that we might have missed an issue that we should take a look
at (that can happen), then please discuss it with us. If there is a CVE
assigned to the issue, please do open an issue on our GitHub tracker instead
of writing to the security contact e-mail, since things reported by scanners
are public already and the discussion that might emerge is of benefit to the
general community. However, please validate your scanner results and its
impact on Argo CD before opening an issue at least roughly.
## Supported Versions
We currently support the last 3 minor versions of Argo CD with security and bug fixes.
We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
supported versions, which will contain fixes for security vulnerabilities and
important bugs. Prior releases might receive critical security fixes on best
effort basis, however, it cannot be guaranteed that security fixes get
back-ported to these unsupported versions.
In rare cases, where a security fix needs complex re-design of a feature or is
otherwise very intrusive, and there's a workaround available, we may decide to
provide a forward-fix only, e.g. to be released the next minor release, instead
of releasing it within a patch branch for the currently supported releases.
## Dependency Upgrade Policy
Argo CD relies on certain binaries and libraries that might appear in security scanners.
Upgrading certain dependencies, such as Helm, Kustomize, and git, may have negative impacts
on users, as they may include breaking changes or changes in behavior. For this reason,
we will only upgrade to new patch versions within the same minor version series within
a supported Argo CD version. For example, if we are currently on Helm 3.12.0 and Argo CD
3.4.0, we will only upgrade to Helm 3.12.x within Argo CD 3.4.x, and not to Helm 3.13.0
or later.
If there is a critical, _exploitable_ vulnerability in a dependency that will not be fixed
in a patch release, we will evaluate the impact of the vulnerability and the risk of not
upgrading the dependency. We ask that, if you believe a version bump is justified, please
open an issue _describing how the vulnerability is exploitable in the context of Argo CD_,
and we will evaluate it and decide whether or not to upgrade the dependency.
## Reporting a Vulnerability
If you find a security related bug in Argo CD, we kindly ask you for responsible
disclosure and for giving us appropriate time to react, analyze and develop a
fix to mitigate the found security vulnerability.
We will do our best to react quickly on your inquiry, and to coordinate a fix
and disclosure with you. Sometimes, it might take a little longer for us to
react (e.g. out of office conditions), so please bear with us in these cases.
We will publish security advisories using the
[GitHub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
feature to keep our community well-informed, and will credit you for your
findings (unless you prefer to stay anonymous, of course).
To report a vulnerability to the Argo CD team a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
## Securing your Argo CD Instance
See the [operator manual security page](docs/operator-manual/security.md) for
additional information about Argo CD's security features and how to make your
Argo CD production ready.
Reference in a new issue View git blame Copy permalink