Please report suspected vulnerabilities privately via GitHub security advisories. Do not open public issues for security reports. You should receive a response within a week.
KubeJet is an operator that provisions workloads on edge devices, so its privilege model is part of its attack surface. The concrete decisions — what the ClusterRole grants and why, when vision pods run privileged, and how runtime pods are sandboxed — are documented in docs/security-model.md.
just auditruns cargo-deny (Rust advisories/licenses), pip-audit (Python CVEs), and trivy (filesystem vulnerabilities and Kubernetes/Dockerfile misconfigurations) — enforced in CI on every PR.just secretsruns gitleaks over the working tree and the full git history.- Release images are built from pinned lockfiles (
uv.lock,Cargo.lock).