OSTIF is proud to announce the publication of a security audit on the Kubernetes cluster tooling Flux in collaboration with Trail of Bits. Performed over four engineer weeks, this is the second security audit with OSTIF that Flux has undertaken, the first having taken place in November 2021. Repeated security audits are great for projects to act as a “check-up” on the impact of the first audit, and great for OSTIF as we get the opportunity to see how our audit process continues to impact the project’s security. 

The Trail of Bits team utilized static and dynamic testing methods with automatic and manual processes. In the report, they outline the audit’s goals with a list of 23 questions that were developed to devise the team’s scope and focuses within this audit. With manual review and results from test harnesses such as semgrep, CodeQL, TruffleHog and golangci-lint, engineers reported 10 findings with security impact.

Of the findings three were low, six informational, and one undetermined in criticality. These were found inside the five testing targets outlined by the scope of this audit. The Flux team has fixed seven of these findings, with the remaining three either unresolved or partially resolved. Addressed in further detail in the audit report are the Codebase Maturity Evaluation results, Non-Security Related Findings, as well as recommendations for the project’s next steps for further security. 

This audit was extremely lively, with lots of discussion and debate between the project representatives and Trail of Bits. This allowed the audit team to produce a detailed, specific and curated report with the results and recommendations being as finely tuned as possible to the security needs and function of the project. The previous audit of Flux in 2021 resulted in the disclosure of 22 findings, over 200% more than this audit. Results like this are evidence that projects that undergo security audits are more likely to have a reduction in security issues to address in the future than projects that do not undergo audits or do not resolve audit issues. 

OSTIF would like to thank the Flux team, specifically Hidde Beydals, Paulo Gomes, Stefan Prodan, Max Werner, and Scott Rigby for their contributions and help with this audit. Gratitude as well goes to Trail of Bits, notably Maciej Domański, Sam Alws, Sam Greenup and Jeff Braswell. Finally, a thank you to the Cloud Native Computing Foundation for their funding and support of this audit and many others.

You can read the report HERE

You can read Flux’s post HERE