You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Restrict the /report/ HTTP endpoint: directory-listing is now disabled and only report.json / audited.json are served, closing an unauthenticated information-disclosure of vulnerability scan data (CVE IDs, package versions, image references). A new report-auth-token flag (VULN_REPORT_AUTH_TOKEN) enables optional bearer-token authentication. The deploy/ manifests now ship a NetworkPolicy and a token Secret; see the Security section of the README for hardening guidance (the /metrics endpoint carries the same data and must be protected at the network layer). GHSA-6v6c-4cxg-cc93
Deprecation notice
In a future release the /report/ endpoint will be disabled by default when no report-auth-token is configured. Set the token now if you rely on the JSON report endpoint being reachable.