Bug fixes
- [
b083ab01] - fix: restrict /report/ endpoint access
Security
- Restrict the
/report/HTTP endpoint: directory-listing is now disabled and onlyreport.json/audited.jsonare served, closing an unauthenticated information-disclosure of vulnerability scan data (CVE IDs, package versions, image references). A newreport-auth-tokenflag (VULN_REPORT_AUTH_TOKEN) enables optional bearer-token authentication. Thedeploy/manifests now ship aNetworkPolicyand a tokenSecret; see the Security section of the README for hardening guidance (the/metricsendpoint carries the same data and must be protected at the network layer). GHSA-6v6c-4cxg-cc93
Deprecation notice
- In a future release the
/report/endpoint will be disabled by default when noreport-auth-tokenis configured. Set the token now if you rely on the JSON report endpoint being reachable.