Security
At Flanksource, security isn't just a feature; it's the foundation of the design that went into the Mission Control platform. We've meticulously designed every aspect of our internal developer platform to meet the stringent requirements of security teams.
Secure SDLC
Flanksource follows a secure SDLC
- Code scanning using Github CodeQL
- Merge blocking unit and integration tests using Github Actions
- Branch protection to prevent history rewrite
- Automatic dependency scanning and updates with Github Dependabot
- Project CI/CD compliance scanning using OpenSSF Scorecards
- Automated build and publishing of artifacts
- CI Supply Chain Runtime Scanner using Step Harden Runner
Secret Management
All flanksource projects are built with secure secret management in mind, where possible secrets are automatically generated at install time and saved to Kubernetes Secrets, Pre-existing secrets are read from environment variables/files supplied by end users using Kubernetes Secrets or Helm Values
Role based IAM identity is possible and preferred for Kubernetes, AWS, GKE and Azure.
Source Open
All the code for Mission Control self-hosted is publicly available and free to use for non-prod purposes, Enabling any security researcher to review the source code and perform white-box testing.
The security scan results for all projects are available in the links below.
Security Dashboard
Project | Description | License | Scorecard | CII Best Practices |
---|---|---|---|---|
Mission Control | Primary microservice and orchestrator | |||
Canary Checker | Health checks and topology scanning | |||
Config DB | Catalog Scraper | |||
Duty | Data Access Library | |||
Is-Healthy | Library for get health status of Kubernetes objects | |||
Gomplate | Go and CEL templating library | |||
Flanksource UI | Dashboard | |||
External Dependencies | ||||
PostgREST | REST API for Database | |||
Kratos (Self-Hosted) | 3rd Party Application for Authentication | |||
Clerk (SaaS) | 3rd Party Service for Authentication | Docs |
Reporting a Vulnerability
If you discover any security vulnerabilities within this project, please report them to our team immediately. We appreciate your help in making this project more secure for everyone.
To report a vulnerability, please follow these steps:
- Email: Send an email to our security team at security@flanksource.com with a detailed description of the vulnerability.
- Subject Line: Use the subject line "Security Vulnerability Report" to ensure prompt attention.
- Information: Provide as much information as possible about the vulnerability, including steps to reproduce it and any supporting documentation or code snippets.
- Confidentiality: We prioritize the confidentiality of vulnerability reports. Please avoid publicly disclosing the issue until we have had an opportunity to address it.
Our team will respond to your report as soon as possible and work towards a solution. We appreciate your responsible disclosure and cooperation in maintaining the security of this project.
Thank you for your contribution to the security of this project!
Note: This project follows responsible disclosure practices.
Notes for Security Researchers
In Scope
- Web applications and APIs under app.flanksource.com and beta.flanksource.io
- Infrastructure components such as servers, databases, and network devices directly managed by Flanksource
- Potential vulnerabilities in third-party services used by Flanksource, if they impact the security of our systems.
- Any repository in github.com/flanksource with a
SECURITY.md
file - Self-Hosted installations of mission-control
Out of Scope
- DKIM / SPF and other email relates issues.
- Marketing sites and landing pages.
- Authenticated access to app.flanksource.com and beta.flanksource.io, If you would like to perform authenticated testing in SaaS, please email us with a request for a temporary environment.
- Any systems or services not directly owned or operated by Flanksource.
- Vulnerabilities in third-party applications or services unless they pose a direct risk to Flanksource.
- Physical security controls unless they can be directly exploited to compromise our systems.
- Social engineering attacks, phishing attempts, or spamming activities.
- Denial of service attacks or brute-force attacks againstFlanksource infrastructure.
- Any activity that violates laws or regulations, or that disrupts the normal operation of Flanksource services.