mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2026-05-17 08:36:55 +03:00
7969647553
Enable BuildKit-native SPDX SBOM and provenance attestations by setting `--sbom=true --provenance=true` in `docker buildx build` within `publish-via-docker`. - Set `--provenance=true --sbom=true` in `publish-via-docker` for both Alpine and scratch variants - Add SBOM section to SECURITY.md with inspection and Trivy scan instructions - Update Release-Guide.md - Add changelog entry Verified end-to-end: pushed test image to GHCR, confirmed SBOM attestation via `docker buildx imagetools inspect`, and Trivy scan via `trivy image --sbom-sources oci` succeeded (with 0 vulnerabilities :-)). Fixes #10473 ### Checklist The following checks are **mandatory**: - [X] My change adheres to [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist). - [X] My change adheres to [VictoriaMetrics development goals](https://docs.victoriametrics.com/victoriametrics/goals/). --------- Signed-off-by: John Allberg <john@ayoy.se> Signed-off-by: Max Kotliar <mkotlyar@victoriametrics.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Co-authored-by: Max Kotliar <kotlyar.maksim@gmail.com> Co-authored-by: Max Kotliar <mkotlyar@victoriametrics.com>
1.5 KiB
1.5 KiB
Security Policy
Supported Versions
The following versions of VictoriaMetrics receive regular security fixes:
| Version | Supported |
|---|---|
| Latest release | ✅ |
| LTS releases | ✅ |
| other releases | ❌ |
See this page for more details.
Software Bill of Materials (SBOM)
Every VictoriaMetrics container{{% available_from "#" %}} image published to
Docker Hub
and Quay.io
includes an SPDX SBOM attestation
generated automatically by BuildKit during
docker buildx build.
To inspect the SBOM for an image:
docker buildx imagetools inspect \
docker.io/victoriametrics/victoria-metrics:latest \
--format "{{ json .SBOM }}"
To scan an image using its SBOM attestation with Trivy:
trivy image --sbom-sources oci \
docker.io/victoriametrics/victoria-metrics:latest
Reporting a Vulnerability
Please report any security issues to security@victoriametrics.com