|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## About This Repository |
| 4 | + |
| 5 | +**DevOps-OS** is a DevOps automation platform — it is a **developer tool** that *generates* CI/CD pipeline configs, Kubernetes manifests, ArgoCD/Flux configurations, SRE alert rules, and Grafana dashboards. It is not a web application, does not store user data, and does not expose network services in production (the MCP server is intended for local/trusted AI-assistant use only). |
| 6 | + |
| 7 | +Because of this nature, the security model here is meaningfully different from a typical web service or library. This document describes what counts as a security concern, and how to report it. |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +## Scope of Security Concerns |
| 12 | + |
| 13 | +### ✅ In Scope |
| 14 | + |
| 15 | +These are valid security issues for this repository: |
| 16 | + |
| 17 | +1. **Insecure patterns in generated configs** — If DevOps-OS scaffolds a CI/CD pipeline, Kubernetes manifest, or ArgoCD/Flux config that contains an insecure default (e.g., `privileged: true` containers, world-readable secrets, overly broad RBAC rules, or disabled TLS verification), that is a security issue in the generator itself. |
| 18 | + |
| 19 | +2. **Insecure defaults in SRE/observability outputs** — Alert rules or Grafana dashboard configs that could expose sensitive metric data without authentication by default. |
| 20 | + |
| 21 | +3. **Dependency vulnerabilities** — A known CVE in a direct Python dependency (`cli/requirements.txt`, `mcp_server/requirements.txt`) or Go module (`go-project/go.mod`) that could allow code execution, privilege escalation, or data exfiltration when a user runs the tool. |
| 22 | + |
| 23 | +4. **CLI argument injection** — User-controlled values passed to `devopsos` sub-commands that are not properly sanitised before being written into generated files, allowing malicious content injection into output configs. |
| 24 | + |
| 25 | +5. **MCP server issues** — The local MCP server (`mcp_server/`) handles tool calls from AI assistants (Claude, ChatGPT). Security issues here include unauthenticated remote code paths, arbitrary file-write vulnerabilities, or path-traversal in generated output paths. |
| 26 | + |
| 27 | +6. **Supply-chain / build integrity** — Issues with the GitHub Actions workflows in `.github/workflows/` that could allow a third party to inject malicious code into the project's own CI pipeline. |
| 28 | + |
| 29 | +### ❌ Out of Scope |
| 30 | + |
| 31 | +The following are **not** treated as security vulnerabilities in this repository: |
| 32 | + |
| 33 | +- Security of the infrastructure that a *user* deploys using the generated configs — DevOps-OS is a code generator; the security of generated code after it leaves this tool is the responsibility of the engineer who deploys it. |
| 34 | +- General best-practice suggestions for the generated configs that are not objectively insecure defaults (e.g., "use a more restrictive network policy"). |
| 35 | +- Vulnerabilities in tools that DevOps-OS *generates config for* (e.g., a CVE in Argo CD itself) — report those upstream. |
| 36 | +- Issues that require physical access to the developer's machine. |
| 37 | + |
| 38 | +--- |
| 39 | + |
| 40 | +## Supported Versions |
| 41 | + |
| 42 | +Only the **latest released version** of DevOps-OS receives security fixes. We do not backport patches to older versions. |
| 43 | + |
| 44 | +| Version | Supported | |
| 45 | +|---------|-----------| |
| 46 | +| Latest | ✅ Yes | |
| 47 | +| Older | ❌ No | |
| 48 | + |
| 49 | +--- |
| 50 | + |
| 51 | +## Reporting a Vulnerability |
| 52 | + |
| 53 | +**Please do not open a public GitHub issue for security vulnerabilities.** |
| 54 | + |
| 55 | +Instead, report vulnerabilities privately by emailing: |
| 56 | + |
| 57 | +**g.gsaravanan@gmail.com** |
| 58 | + |
| 59 | +Please include: |
| 60 | +- A clear description of the vulnerability and its potential impact. |
| 61 | +- The version of DevOps-OS you are using (`devopsos --version`). |
| 62 | +- Steps to reproduce the issue, or a minimal proof-of-concept. |
| 63 | +- Any relevant generated output files (scrub any real secrets before sending). |
| 64 | + |
| 65 | +### What to Expect |
| 66 | + |
| 67 | +- **Acknowledgement within 5 business days** of receiving your report. |
| 68 | +- **Triage within 10 business days** — we will confirm whether it is in scope and agree on a severity rating. |
| 69 | +- **Fix and disclosure** — for confirmed vulnerabilities, we aim to release a patch and publish a coordinated disclosure within 60 days. We will credit reporters by name (or anonymously, if preferred) in the CHANGELOG. |
| 70 | + |
| 71 | +--- |
| 72 | + |
| 73 | +## Security Best Practices for Users |
| 74 | + |
| 75 | +Because DevOps-OS generates infrastructure-as-code that will be deployed by others, we recommend: |
| 76 | + |
| 77 | +1. **Review every generated file before committing or deploying it.** Generated configs are starting points, not final production configs. Always review them for your specific security requirements. |
| 78 | + |
| 79 | +2. **Pin dependency versions in generated pipelines.** The scaffolded GitHub Actions workflows use version-pinned actions where possible; keep those pins up to date. |
| 80 | + |
| 81 | +3. **Restrict ArgoCD AppProject source repositories** — the `--allow-any-source-repo` flag in `devopsos scaffold argocd` is disabled by default for a reason. Only enable it in trusted environments. |
| 82 | + |
| 83 | +4. **Run the MCP server locally only** — `mcp_server/server.py` is designed to be used as a local stdio server by your AI assistant. Do not expose it on a public network interface. |
| 84 | + |
| 85 | +5. **Keep your DevOps-OS installation up to date** — run `pip install --upgrade devopsos` or pull the latest version from this repository regularly. |
0 commit comments