Do not report security vulnerabilities through public GitHub issues.
Use GitHub Private Vulnerability Reporting instead. You will receive a response within 48 hours.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
We coordinate disclosure timing with reporters and prefer at least 90 days before public disclosure.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
All release artifacts include cryptographically signed build provenance attestations.
# Docker image
gh attestation verify oci://ghcr.io/hcavarsan/kftray-server:latest --owner hcavarsan
# CLI binary
gh attestation verify kftui_linux_amd64.tar.gz --owner hcavarsan
# Desktop app
gh attestation verify kftray_<version>_amd64.AppImage --owner hcavarsanAll SBOMs and VEX are signed with Cosign keyless signing using the v3 bundle format:
curl -LO https://github.com/hcavarsan/kftray/releases/latest/download/sbom-kftray.cdx.json
curl -LO https://github.com/hcavarsan/kftray/releases/latest/download/sbom-kftray.cdx.json.bundle.json
cosign verify-blob \
--bundle sbom-kftray.cdx.json.bundle.json \
--certificate-identity-regexp "https://github.com/hcavarsan/kftray" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
sbom-kftray.cdx.jsonReplace kftray with kftui or kftray-server for other artifacts.
curl -LO https://github.com/hcavarsan/kftray/releases/latest/download/.vex.openvex.json
curl -LO https://github.com/hcavarsan/kftray/releases/latest/download/.vex.openvex.json.bundle.json
cosign verify-blob \
--bundle .vex.openvex.json.bundle.json \
--certificate-identity-regexp "https://github.com/hcavarsan/kftray" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
.vex.openvex.jsonThe kftray-server image:
| Property | Value |
|---|---|
| Base image | gcr.io/distroless/static:nonroot (SHA-pinned) |
| User | Non-root |
| Shell | None |
| Architectures | linux/amd64, linux/arm64 |
Builds meet SLSA Level 2 requirements:
| Requirement | Status |
|---|---|
| Build service | GitHub Actions (hosted runners) |
| Signed provenance | actions/attest-build-provenance@v3.2.0 |
| Non-forgeable | GitHub's Sigstore-based attestation |
| Service-generated | Provenance generated by GitHub |
- Automated updates via Renovate
- Vulnerability scanning with Grype on every release
- VEX document (
.vex.openvex.json) for vulnerability suppression - Releases blocked on critical/high CVEs
Each release includes per-artifact security documentation:
| Artifact | SBOM | Bundle | Vuln Report |
|---|---|---|---|
| kftray (Desktop) | sbom-kftray.cdx.json |
.bundle.json |
vuln-report-kftray.json |
| kftui (CLI) | sbom-kftui.cdx.json |
.bundle.json |
vuln-report-kftui.json |
| kftray-server (Docker) | sbom-kftray-server.cdx.json |
.bundle.json |
vuln-report-kftray-server.json |
Additionally:
| File | Description |
|---|---|
.vex.openvex.json |
VEX assessments for vulnerability suppression |
.vex.openvex.json.bundle.json |
VEX Cosign bundle (signature + certificate) |
We thank the following individuals for responsibly disclosing vulnerabilities:
No vulnerabilities reported yet.