rms/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2026-05-17 08:36:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
7969647553a2965892c2d500e7297d0f096204b9
VictoriaMetrics/SECURITY.md
John Allberg 7969647553 publish SPDX SBOM attestations for container images (#10474) 
Enable BuildKit-native SPDX SBOM and provenance attestations by setting
`--sbom=true --provenance=true` in `docker buildx build` within
`publish-via-docker`.

- Set `--provenance=true --sbom=true` in `publish-via-docker` for both
Alpine and scratch variants
- Add SBOM section to SECURITY.md with inspection and Trivy scan
instructions
- Update Release-Guide.md
- Add changelog entry

Verified end-to-end: pushed test image to GHCR, confirmed SBOM
attestation via `docker buildx imagetools inspect`, and Trivy scan via
`trivy image --sbom-sources oci` succeeded (with 0 vulnerabilities :-)).

Fixes #10473 

### Checklist

The following checks are **mandatory**:

- [X] My change adheres to [VictoriaMetrics contributing
guidelines](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist).
- [X] My change adheres to [VictoriaMetrics development
goals](https://docs.victoriametrics.com/victoriametrics/goals/).

---------

Signed-off-by: John Allberg <john@ayoy.se>
Signed-off-by: Max Kotliar <mkotlyar@victoriametrics.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Max Kotliar <kotlyar.maksim@gmail.com>
Co-authored-by: Max Kotliar <mkotlyar@victoriametrics.com>
2026-02-27 10:50:03 +02:00

1.5 KiB
Raw Blame History

Security Policy

Supported Versions

The following versions of VictoriaMetrics receive regular security fixes:

Version Supported
Latest release
LTS releases
other releases

See this page for more details.

Software Bill of Materials (SBOM)

Every VictoriaMetrics container{{% available_from "#" %}} image published to Docker Hub and Quay.io includes an SPDX SBOM attestation generated automatically by BuildKit during docker buildx build.

To inspect the SBOM for an image:

docker buildx imagetools inspect \
  docker.io/victoriametrics/victoria-metrics:latest \
  --format "{{ json .SBOM }}"

To scan an image using its SBOM attestation with Trivy:

trivy image --sbom-sources oci \
  docker.io/victoriametrics/victoria-metrics:latest

Reporting a Vulnerability

Please report any security issues to security@victoriametrics.com

Reference in New Issue View Git Blame Copy Permalink