github ckotzbauer/vulnerability-operator 0.28.16

4 hours ago

Bug fixes

  • [b083ab01] - fix: restrict /report/ endpoint access

Security

  • Restrict the /report/ HTTP endpoint: directory-listing is now disabled and only report.json / audited.json are served, closing an unauthenticated information-disclosure of vulnerability scan data (CVE IDs, package versions, image references). A new report-auth-token flag (VULN_REPORT_AUTH_TOKEN) enables optional bearer-token authentication. The deploy/ manifests now ship a NetworkPolicy and a token Secret; see the Security section of the README for hardening guidance (the /metrics endpoint carries the same data and must be protected at the network layer). GHSA-6v6c-4cxg-cc93

Deprecation notice

  • In a future release the /report/ endpoint will be disabled by default when no report-auth-token is configured. Set the token now if you rely on the JSON report endpoint being reachable.

Don't miss a new vulnerability-operator release

NewReleases is sending notifications on new releases.