Use GitHub's private vulnerability reporting for this repository. Do not open a public issue for security vulnerabilities.
This repository manages Kubernetes manifests and tooling for a local OrbStack development cluster. It does not handle production customer data. The primary security concerns are:
- Supply-chain integrity of container images (Cribl, OTEL Collector, Bifrost, etc.)
- Secret hygiene — all secrets are managed via SOPS + Doppler, never committed in plaintext
- GitHub Actions security — untrusted external actions are SHA-pinned; CodeQL analysis (Python + Actions) is a required status check enforced by repository ruleset
Renovate manages dependency updates with a 3-day stabilization delay. Trusted external GitHub Actions use version tags; untrusted actions use SHA pins. See the org-level SECURITY.md for the full dependency trust tier model.
This repository targets the Kubernetes versions below. Security fixes are only backported to supported versions.
| Kubernetes Version | Status |
|---|---|
| 1.30+ | Supported |
| <1.30 | Unsupported |