If you discover a security vulnerability in Attune, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report vulnerabilities via GitHub's private security advisory feature: Report a vulnerability.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous release | Security fixes only |
| Older | No |
- Container images and binaries are signed with cosign using keyless signing (Sigstore OIDC)
- SLSA Level 3 provenance is generated for both binary artifacts and container images
- SBOMs are generated for every release (SPDX format) and attached to the GitHub release
- FOSSA license compliance scanning runs on every push
- Trivy filesystem and container image scans run weekly
- govulncheck runs weekly for known Go vulnerabilities
- Gitleaks secret detection runs on every push
- CodeQL static analysis runs weekly
- GitHub secret scanning is enabled at the organization level
- StepSecurity harden-runner is enabled on all CI workflows
- OpenSSF Scorecard monitors the repository's security posture
- Dependabot monitors Go modules, GitHub Actions, and Docker base images weekly
- Static analysis via golangci-lint (50+ linters) runs on every push
- The operator runs as non-root (
runAsUser: 65532) with a read-only root filesystem - All Linux capabilities are dropped (
drop: ALL); privilege escalation is disabled - RBAC permissions follow least-privilege principles