Open Source Technology Improvement Fund is happy to report the results of yet another security audit, this time of the Argo project. The Argo project is a collection of tools for getting work done with Kubernetes. The main components of Argo audited are:
- Argo Workflows – Container-native Workflow Engine
- Argo CD – Declarative GitOps Continuous Delivery
- Argo Events – Event-based Dependency Manager
Additionally, the Ada Logics team built 7 new fuzzers to integrate into the ossfuzz testing suite for Argo that focus on security relevant functions. The Argo team and community demonstrated a strong commitment to improving the project’s security posture. See the full report and Argo team’s synopsis below for detailed information.
Thank you to Cloud Native Computing Foundation (CNCF) for funding this audit and entrusting Open Source Technology Improvement Fund to facilitate it.
Special thanks to David Korczynski and Adam Korczynski of Ada Logics for auditing the software and to the Argo team Alex Collins, Derek Wang, Hari Rongali, Henrik Blixt, Jann Fischer, Michael Crenshaw and Jesse Suen for their committed support. Strong collaboration between the review team and project maintainers helps the audit process be more impactful, especially with the help of the community.
Everyone around the world depends on OSS. We’d love to do more security audits to proactively find and fix vulnerabilities! If you’re interested in financially supporting this work, contact [email protected].
Argo Full Audit Report: https://ostif.org/wp-content/uploads/2022/07/ostif_argo_security_audit_2022.pdf
Ada Logics Blog: https://adalogics.com/blog/argo-security-audit
Cloud Native Computing Fund Announcement: