| Version | Supported |
|---|---|
| v2.x | ✅ Actively maintained |
| v1.x |
This repository is an automated security pipeline. Vulnerabilities in the pipeline itself (e.g., a prompt injection in the AI remediation script, or an RBAC bypass in the KinD manifests) should be reported privately.
Do NOT open a public GitHub Issue for security vulnerabilities.
Email: arorahardik0811@gmail.com
Response SLA: 48 hours for acknowledgement, 7 days for initial triage.
| In Scope | Out of Scope |
|---|---|
scripts/remediate_cve.py prompt injection |
The Ollama upstream binary |
| GitHub Actions OIDC token exposure | GitHub Actions platform bugs |
RBAC in k8s/ manifests |
KinD upstream bugs |
| Secrets hardcoded in any committed file | Third-party action CVEs |
enforce-non-root bypass via crafted Dockerfile |
LLM model weight vulnerabilities |
| Dynamic build context path traversal | OpenAI/NVIDIA API platform bugs |
Smoke test env injection (MONGO_URI / DATABASE_URL) abuse |
Docker daemon vulnerabilities |
API key leakage in patch_audit.log |
Trivy false-positive scan results |
- You email us with a description and reproduction steps.
- We confirm the vulnerability within 48 hours.
- We issue a fix and credit you (if desired) in the release notes.
- We publish a public advisory after the fix is merged.
This repository uses its own pipeline to keep itself secure:
- All base images are scanned on every push via Trivy.
- Dependency trees are audited on every PR via
pip-audit. - SAST is run via CodeQL on every push to
main. - AI-generated patches are validated through a 5-gate pipeline:
- Instruction whitelist (hallucination defense)
- Adaptive blueprint integrity gate
- Docker build smoke test
- Runtime stability check with health probe
- KinD cluster integration test
- Manifest-First Remediation: AI fixes OS packages via
apk/aptpins; never injects inlinenpm installcommands. - Side-by-Side Patching: Original
Dockerfileis never touched until all gates pass. - Configurable Non-Root Policy: The
enforce-non-rootinput controls whetherUSERinstruction is mandatory. - Smoke Test Isolation: Dummy database URIs are injected to prevent runtime crashes without exposing real credentials.
- API Key Fallback:
api-keyinput falls back toenv.API_KEY— secrets never hardcoded.