If you discover a security vulnerability in Blob Argo CMP, please report it through GitHub's private vulnerability reporting feature:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Provide a detailed description of the issue

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Include as much of the following information as possible to help us understand and resolve the issue:

• Type of issue (e.g., policy bypass, privilege escalation, configuration injection)
• Full paths of source file(s) related to the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue and how an attacker might exploit it

For vulnerabilities in the core Blob library (signature verification, archive handling, integrity checks), please report those directly to the Blob repository's security process.

We provide security updates for the following versions:

• Initial Response: We aim to acknowledge receipt of your vulnerability report within 3 business days.
• Status Update: We will provide a more detailed response within 10 business days, including our assessment and expected timeline for a fix.
• Resolution: We strive to resolve critical vulnerabilities within 30 days of the initial report.

We follow a coordinated disclosure process:

1. Security issues are handled privately until a fix is available.
2. Once a fix is ready, we will create a security advisory and release a patched version.
3. We will publicly disclose the vulnerability after users have had reasonable time to update.
4. Credit will be given to the reporter (unless anonymity is preferred) in the security advisory.

Blob Argo CMP is a security-focused tool. When deploying and operating it, consider the following:

• Disable inline policies in production: Set allowInlinePolicy: false in the central policy configuration to prevent applications from bypassing centralized policy controls.
• Require verification: Set requireVerification: true to ensure all blob references are verified before deployment.
• Use specific patterns: Configure repository match patterns to be as specific as possible to avoid unintended policy matching.

The provided deployment manifests include security hardening:

• Non-root user execution (UID 999)
• Read-only root filesystem
• Dropped capabilities
• Seccomp profile

Do not relax these settings without understanding the implications.

• Credentials are read from the Argo CD repo-server's Docker config
• Use credential helpers rather than storing plain credentials
• Ensure appropriate RBAC controls on the argocd namespace

The plugin uses specific exit codes to distinguish security failures:

Exit code 1 indicates a security-relevant failure and should be treated as a potential supply chain attack or misconfiguration.

For vulnerabilities in third-party dependencies:

• If the vulnerability affects Blob Argo CMP, please report it through our security reporting process above
• For vulnerabilities in upstream projects, please report directly to those projects:
  • Blob library: meigma/blob security
  • Sigstore: sigstore security
  • Argo CD: argoproj/argo-cd security

• Blob Documentation
• Blob Provenance & Signing Guide
• Argo CD CMP Documentation
• Sigstore Documentation