We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT create public GitHub issues for security vulnerabilities
2. Report via GitHub Security Advisories: Go to the Security tab and create a new advisory
3. Include: A clear description of the vulnerability, steps to reproduce, and potential impact

• We will acknowledge receipt within 48 hours
• We aim to provide an initial assessment within 7 days
• We will keep you informed of our progress
• We will credit you in the security advisory (if desired)

This project implements several security controls:

• CI/CD Security: Lint, unit test, E2E test, and build checks on every PR
• Dependency Scanning: Automated updates via Dependabot for GitHub Actions
• Code Quality: golangci-lint with static analysis
• Signed Commits: All commits require sign-off (git commit -s)

The kagenti-operator manages trusted workload identity and agent card signatures:

• SPIFFE/SPIRE Integration: Workload identity via x509-SVIDs
• Agent Card Signing: JWS signatures with x5c certificate chains (A2A spec §8.4.2)
• Identity Binding: Trust domain validation for agent workloads
• Network Policies: Automatic isolation for agents with failed identity binding