Skip to content

Security: joelp172/uptime-robot-operator

Security

Report a vulnerability

SECURITY.md

Security Policy

This document explains how to verify Uptime Robot Operator images, report vulnerabilities, and apply deployment security best practices.

Contents

Container Image Security

All images published by the Uptime Robot Operator are scanned for vulnerabilities, signed with Cosign, and include Software Bill of Materials (SBOM) attestations.

Image scanning

Every image is scanned using Trivy for known vulnerabilities before release. The build fails if any critical or high-severity vulnerabilities are detected.

  • Scan results are uploaded to the GitHub Security tab
  • Vulnerabilities are tracked and remediated promptly
  • Images are rebuilt regularly to incorporate security patches

Image signing

All images are signed using Cosign with keyless signing via GitHub Actions OpenID Connect (OIDC). This ensures image authenticity and integrity.

Base image

The Uptime Robot Operator uses distroless base images (gcr.io/distroless/static:nonroot):

  • Contains only the application and its runtime dependencies
  • No shell, package manager, or unnecessary tools
  • Runs as a non-root user
  • Minimises attack surface

Verify Image Signatures

Prerequisites: Cosign installed.

To verify a signed release image:

cosign verify \
  --certificate-identity="https://github.com/joelp172/uptime-robot-operator/.github/workflows/release.yml@refs/heads/main" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/joelp172/uptime-robot-operator:v1.0.0

Release signatures are produced by .github/workflows/release.yml, which runs on main.
The expected Fulcio certificate identity therefore uses @refs/heads/main (not @refs/tags/...).

cosign verify \
  --certificate-identity="https://github.com/joelp172/uptime-robot-operator/.github/workflows/release.yml@refs/heads/main" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/joelp172/uptime-robot-operator:v1.0.0

Successful verification outputs:

Verification for ghcr.io/joelp172/uptime-robot-operator:v1.0.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

Software Bill of Materials (SBOM)

Each release includes SBOM files in both SPDX and CycloneDX formats. SBOMs provide a complete inventory of all software components in the image.

Download SBOMs from releases

  1. Go to the Releases page
  2. Download sbom-spdx.json or sbom-cyclonedx.json from the release assets

Verify SBOM attestations

SBOMs are attested to the images. Verify them with:

# Verify SPDX SBOM attestation
cosign verify-attestation \
  --type spdxjson \
  --certificate-identity="https://github.com/joelp172/uptime-robot-operator/.github/workflows/release.yml@refs/heads/main" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/joelp172/uptime-robot-operator:v1.0.0 | jq -r .payload | base64 -d | jq .

# Verify CycloneDX SBOM attestation
cosign verify-attestation \
  --type cyclonedx \
  --certificate-identity="https://github.com/joelp172/uptime-robot-operator/.github/workflows/release.yml@refs/heads/main" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  ghcr.io/joelp172/uptime-robot-operator:v1.0.0 | jq -r .payload | base64 -d | jq .

Scan SBOMs for vulnerabilities

Use Trivy to analyse SBOMs for known vulnerabilities:

trivy sbom sbom-spdx.json

Report Security Vulnerabilities

If you discover a security vulnerability, report it by:

  1. DO NOT open a public issue
  2. Use GitHub's private vulnerability reporting feature: https://github.com/joelp172/uptime-robot-operator/security/advisories/new
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

We respond within 48 hours and work with you to address the issue promptly.

Deployment Best Practices

When you deploy the operator, follow these practices:

Use specific image tags

Use specific version tags instead of latest or beta:

# Good
image: ghcr.io/joelp172/uptime-robot-operator:v1.0.0

# Avoid
image: ghcr.io/joelp172/uptime-robot-operator:latest

Verify images before deployment

Add image verification to your deployment pipeline:

#!/bin/bash
set -e

IMAGE="ghcr.io/joelp172/uptime-robot-operator:v1.0.0"

# Use release workflow identity for versioned images
cosign verify \
  --certificate-identity="https://github.com/joelp172/uptime-robot-operator/.github/workflows/release.yml@refs/heads/main" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  "${IMAGE}"

# Deploy only if verification succeeds (exit code 0)
kubectl apply -f deployment.yaml

There aren’t any published security advisories