Written by Andrea Frittoli, IBM (Tekton Maintainer)
In March 2022, Trail of Bits finalized the Tekton project’s security audit.
Audit Goals
The Tekton Security Audit aimed to provide a security assessment of Tekton through a combination of static and dynamic analyses of the Tekton Pipelines, Tekton Triggers, and the Tekton Dashboard components. Its goal was to help the community—developers and users alike—build secure Continuous Delivery infrastructure through Tekton and make the world a safer place.
The Trail of Bits team sought to answer the following (non-exhaustive) list of questions:
- Do the configurations provided for users generally follow best practices for security?
- Is there appropriate validation of filesystem operations, such as handling symbolic links and setting file permissions?
- Are system secrets vulnerable to data exposure?
- Could an attacker perform log injection attacks against the application to trick operators into performing undesirable actions?
- Does the application properly handle errors?
- If the application is installed and configured based on official instructions, is it reasonably secure by default?
- Could attackers use malicious pipelines or triggers to perform container escape attacks and access the cluster?
Audit Results
The audit uncovered one significant flaw in the Tekton Dashboard, which was promptly fixed by the Tekton team.
We are happy to report that the majority of the findings are of lesser severity and that no high-severity issues were found in the Tekton Pipeline, which is Tekton’s core component.
For the full summary of the findings, view Page 10 of the report.
What’s Next
The high-severity issue was addressed right away, and the team enabled further static-analysis security testing and automatic dependency management as part of our CI. The low-severity security issues were labelled, and we will work through fixing them.
Since the security audit, we have patched Tekton releases based on vulnerabilities discovered in Tekton dependencies, such as the Golang language itself.
Tekton’s vulnerability management team is dedicated to keeping Tekton as secure as possible. Please continue to help us by reporting any vulnerabilities any vulnerabilities you discover at tekton-vmt[at]googlegroups.com.
Get Involved
Want to get more involved in the development of Tekton? Here’s how!