Security
At Flanksource, security isn't just a feature; it's the foundation of the design that went into the Mission Control platform. We've meticulously designed every aspect of our internal developer platform to meet the stringent requirements of security teams.
Secure SDLC
Flanksource follows a secure SDLC
- Code scanning using Github CodeQL
- Merge blocking unit and integration tests using Github Actions
- Branch protection to prevent history rewrite
- Automatic dependency scanning and updates with Github Dependabot
- Project CI/CD compliance scanning using OpenSSF Scorecards
- Automated build and publishing of artifacts
- CI Supply Chain Runtime Scanner using Step Harden Runner
Secret Management
All flanksource projects are built with secure secret management in mind, where possible secrets are automatically generated at install time and saved to Kubernetes Secrets, Pre-existing secrets are read from environment variables/files supplied by end users using Kubernetes Secrets or Helm Values
Role based IAM identity is possible and preferred for Kubernetes, AWS, GKE and Azure.
Source Open
All the code for Mission Control self-hosted is publicly available and free to use for non-prod purposes, Enabling any security researcher to review the source code and perform white-box testing.
The security scan results for all projects are available in the links below.
Security Dashboard
| Project | Description | License | Scorecard | CII Best Practices |
|---|---|---|---|---|
| Mission Control | Primary microservice and orchestrator |  | ||
| Canary Checker | Health checks and topology scanning |  |  | |
| Config DB | Catalog Scraper | | ||
| Duty | Data Access Library |  | ||
| Is-Healthy | Library for get health status of Kubernetes objects |  | ||
| Gomplate | Go and CEL templating library |  | ||
| Flanksource UI | Dashboard | | ||
| External Dependencies | ||||
| PostgREST | REST API for Database |  | ||
| Kratos (Self-Hosted) | 3rd Party Application for Authentication |  | ||
| Clerk (SaaS) | 3rd Party Service for Authentication | Docs |
Reporting a Vulnerability
If you discover any security vulnerabilities within this project, please report them to our team immediately. We appreciate your help in making this project more secure for everyone.
To report a vulnerability, please follow these steps:
- Email: Send an email to our security team at security@flanksource.com with a detailed description of the vulnerability.
- Subject Line: Use the subject line "Security Vulnerability Report" to ensure prompt attention.
- Information: Provide as much information as possible about the vulnerability, including steps to reproduce it and any supporting documentation or code snippets.
- Confidentiality: We prioritize the confidentiality of vulnerability reports. Please avoid publicly disclosing the issue until we have had an opportunity to address it.
Our team will respond to your report as soon as possible and work towards a solution. We appreciate your responsible disclosure and cooperation in maintaining the security of this project.
Thank you for your contribution to the security of this project!
Note: This project follows responsible disclosure practices.