github kimdre/doco-cd v0.90.1
on GitHub

5 hours ago

What's Changed

Fixed OCI Artifact security vulnerability

When global OCI signature verification was enabled via OCI_TRUST_POLICY (enabled: true), an attacker with write access to the configured OCI tag could publish an unsigned or improperly signed artifact containing .doco-cd.yml with oci.verify: false. This could cause signature verification to be bypassed and untrusted deployment content to be applied.

This primarily impacts users deploying from OCI artifacts where deployment config is read from artifact contents (for example, poll/webhook flows without trusted inline deployment overrides).

This release fixes the vulnerability by enforcing a strict trust boundary and no-downgrade behavior:

  1. Artifact-contained .doco-cd.yml is treated as untrusted for OCI trust-policy override decisions.
  2. If global OCI_TRUST_POLICY.enabled is true, per-deployment oci.verify: false cannot disable verification.

Thanks to @strayer for finding and reporting the vulnerability! ❤️

🐛 Bug Fixes

  • fix(oci): prevent policy downgrades when trust policy is enabled globally by @kimdre in #1407

📦 Dependencies

  • fix(deps): update module github.com/bitwarden/sdk-go/v2 to v2.1.0 by @renovate[bot] in #1404

📚 Miscellaneous

  • feat(docs): add test to verify documentation by @kimdre in #1406

Full Changelog: v0.90.0...v0.90.1

Check out latest releases or
releases around kimdre/doco-cd v0.90.1

Don't miss a new doco-cd release

NewReleases is sending notifications on new releases.

Get notifications