Skip to content

Security: PlatformRelay/Kollect

SECURITY.md

Security policy

Supported versions

Version Supported
main Yes
Tags Latest release only

Reporting a vulnerability

Do not open public GitHub issues for security-sensitive reports.

Email konrad.heimel@gmail.com with:

  • Description of the issue and impact
  • Steps to reproduce (if possible)
  • Affected versions or commits
  • Suggested fix (optional)

You should receive an acknowledgment within a few business days. We will coordinate disclosure and a fix release when appropriate.

Threat model (summary)

Kollect is a cluster operator that:

  • Reads Kubernetes resources allowed by its RBAC and SAR checks (configurable per target).
  • Writes to external sinks and doc backends using credentials from Secret references only.
  • Stores aggregated metadata in CR status (summaries, not full payloads — see ADRs).

Risks to consider when deploying:

  • Over-broad ClusterRole grants increase blast radius if the manager is compromised.
  • Sink endpoints must use verified TLS; credentials must not appear in CR specs or logs.
  • Restrict egress with NetworkPolicy in production.

See engineering guidelines for hardening baselines (non-root runtime image, secret handling, supply-chain checks in CI).

Supply chain (releases)

Release builds (.github/workflows/release.yaml) produce:

  • OCI imageghcr.io/platformrelay/kollect and ghcr.io/platformrelay/kollect-ui with SBOM and SLSA provenance attestations
  • cosign keyless signatures (verify with release notes instructions)
  • SPDX SBOMsbom.spdx.json and sbom-ui.spdx.json attached to GitHub Releases
  • Checksumssha256sum manifest for install YAML and chart tarball

Prefer tagged release artifacts over :latest in production. Report supply-chain concerns through the private contact above.

Dependency and license policy (SCA)

Full thresholds and process: SCA remediation policy (satisfies OpenSSF OSPS-VM-05.01).

Vulnerability SLAs: Critical 7 days, High 30 days, Medium 90 days, Low by next minor release; zero tolerance for reachable CVEs (govulncheck must pass before merge) and for fixable CRITICAL/HIGH in release images (Trivy).

License classes: Allow (MIT/Apache/BSD/…), Review (MPL/LGPL — 90 days to confirm), Deny (GPL/AGPL/proprietary/unknown — remove before merge or defer with a dated security issue).

Deferrals require a GitHub issue or ADR with expiry — see policy § Exceptions.

Static analysis and vulnerability scanning

golangci-lint (SAST)

CI runs golangci-lint v2 on every push and pull request (task lint, job lint in .github/workflows/ci.yaml). Configuration: .golangci.yaml (security and correctness linters including gosec, errcheck, govet, staticcheck, depguard, gomodguard, and logcheck via hack/tooling/.custom-gcl.yml). Pre-commit runs the same gate on changed Go files.

Run locally:

task lint

CodeQL runs on every push/PR to main and weekly (.github/workflows/codeql.yaml); results appear under Security → Code scanning. See ADR-0705 for rationale.

Run locally (requires CodeQL CLI):

# CI equivalent: init → build → analyze via Actions; local runs use the CodeQL extension or CLI.
task lint

Dependabot

Repository settings (enabled 2026-06-05):

  • Dependabot alerts — GitHub Advisory Database notifications for vulnerable dependencies
  • Dependabot security updates — automated patch PRs for known CVEs in go.mod and Actions
  • Dependabot version updates — weekly grouped PRs via .github/dependabot.yml (gomod minor/patch group, github-actions SHA group)

Renovate is not used; Dependabot covers dependency update automation for this solo-maintainer OSS repo.

govulncheck

CI runs govulncheck on every push and pull request (task vulncheck, job vulncheck in .github/workflows/ci.yaml). The scan uses the Go vulnerability database and reports issues that affect imported packages in this module (including test code). The job fails when govulncheck exits non-zero.

Run locally after installing Go from go.mod:

task vulncheck

If a finding is a false positive or only affects an unused code path in a dependency, document the exception in this file (module, advisory ID, rationale, review date) before suppressing CI — see SCA remediation policy § Exceptions and deferrals.

Release images are additionally scanned with Trivy (CRITICAL/HIGH, fixable only) in .github/workflows/release.yaml.

VEX (vulnerability exceptions)

Kollect publishes an OpenVEX document at docs/security/vex.json. The statements array is empty today — no CVE findings are suppressed. When a deferral or false positive requires a documented exception, add a VEX statement and link the GitHub issue or ADR in the statement metadata.

OpenSSF Scorecard

Supply-chain posture is tracked via the OpenSSF Scorecard badge in README.md. Implemented checks, deferred solo-maintainer items, and rationale are documented in ADR-0705 § OpenSSF Scorecard follow-ups.

There aren't any published security advisories