Skip to content

Security: cezarc1/KubeJet

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please report suspected vulnerabilities privately via GitHub security advisories. Do not open public issues for security reports. You should receive a response within a week.

Scope notes

KubeJet is an operator that provisions workloads on edge devices, so its privilege model is part of its attack surface. The concrete decisions — what the ClusterRole grants and why, when vision pods run privileged, and how runtime pods are sandboxed — are documented in docs/security-model.md.

Supply chain

  • just audit runs cargo-deny (Rust advisories/licenses), pip-audit (Python CVEs), and trivy (filesystem vulnerabilities and Kubernetes/Dockerfile misconfigurations) — enforced in CI on every PR.
  • just secrets runs gitleaks over the working tree and the full git history.
  • Release images are built from pinned lockfiles (uv.lock, Cargo.lock).

There aren't any published security advisories