SECURITY.md

Version:v1.5 (2023-03-06)

As a deployment tool, Argo CD needs to have production access which makessecurity a very important topic. The Argoproj team takes security veryseriously and is continuously working on improving it.

Many organisations these days employ security scanners to validate theircontainer images before letting them on their clusters, and that is a goodthing. However, the quality and results of these scanners vary greatly,many of them produce false positives and require people to look at theissues reported and validate them for correctness. A great example of thatis, that some scanners report kernel vulnerabilities for container imagesjust because they are derived from some distribution.

We kindly ask you to not raise issues or contact us regarding any issuesthat are found by your security scanner. Many of those produce a lot of falsepositives, and many of these issues don't affect Argo CD. We do have scannersin place for our code, dependencies and container images that we publish. Weare well aware of the issues that may affect Argo CD and are constantlyworking on the remediation of those that affect Argo CD and our users.

If you believe that we might have missed an issue that we should take a lookat (that can happen), then please discuss it with us. If there is a CVEassigned to the issue, please do open an issue on our GitHub tracker insteadof writing to the security contact e-mail, since things reported by scannersare public already and the discussion that might emerge is of benefit to thegeneral community. However, please validate your scanner results and itsimpact on Argo CD before opening an issue at least roughly.

We currently support the last 3 minor versions of Argo CD with security and bug fixes.

We regularly perform patch releases (e.g.1.8.5 and1.7.12) for thesupported versions, which will contain fixes for security vulnerabilities andimportant bugs. Prior releases might receive critical security fixes on besteffort basis, however, it cannot be guaranteed that security fixes getback-ported to these unsupported versions.

In rare cases, where a security fix needs complex re-design of a feature or isotherwise very intrusive, and there's a workaround available, we may decide toprovide a forward-fix only, e.g. to be released the next minor release, insteadof releasing it within a patch branch for the currently supported releases.

If you find a security related bug in Argo CD, we kindly ask you for responsibledisclosure and for giving us appropriate time to react, analyze and develop afix to mitigate the found security vulnerability.

We will do our best to react quickly on your inquiry, and to coordinate a fixand disclosure with you. Sometimes, it might take a little longer for us toreact (e.g. out of office conditions), so please bear with us in these cases.

We will publish security advisories using theGitHub Security Advisoriesfeature to keep our community well-informed, and will credit you for yourfindings (unless you prefer to stay anonymous, of course).

There are two ways to report a vulnerability to the Argo CD team:

• By opening a draft GitHub security advisory:https://github.com/argoproj/argo-cd/security/advisories/new
• By e-mail to the following address:cncf-argo-security@lists.cncf.io

We're happy to announce that the Argo project is collaborating with the greatfolks over atHacker One and theirInternet Bug Bounty programto reward the awesome people who find security vulnerabilities in the fourmain Argo projects (CD, Events, Rollouts and Workflows) and then work withus to fix and disclose them in a responsible manner.

If you report a vulnerability to us as outlined in this security policy, wewill work together with you to find out whether your finding is eligible forclaiming a bounty, and also on how to claim it.

See theoperator manual security page foradditional information about Argo CD's security features and how to make yourArgo CD production ready.