talos/SECURITY-INSIGHTS.yml at main · siderolabs/talos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
header:
  schema-version: 2.1.0
  last-updated: '2026-03-26'
  last-reviewed: '2026-03-26'
  url: https://github.com/siderolabs/talos
  comment: >
    Security Insights for Talos Linux. This file satisfies OSPS Baseline QA-04.01
    by documenting subprojects and additional repositories.

project:
  name: Talos Linux
  homepage: https://www.talos.dev
  administrators:
    - name: Andrey Smirnov
      primary: true
      affiliation: Sidero Labs
    - name: Noel Georgi
      primary: true
      affiliation: Sidero Labs
    - name: Artem Chernyshev
      primary: true
      affiliation: Sidero Labs
  repositories:
    # Build & Packaging
    - name: pkgs
      url: https://github.com/siderolabs/pkgs
      comment: Core system packages (kernel, firmware, containerd, runc).
    - name: tools
      url: https://github.com/siderolabs/tools
      comment: Build toolchain used to compile Talos system packages.
    - name: extensions
      url: https://github.com/siderolabs/extensions
      comment: System extensions (drivers, services, guest agents).
    - name: kubelet
      url: https://github.com/siderolabs/kubelet
      comment: Patched kubelet container image shipped with Talos.
    - name: image-factory
      url: https://github.com/siderolabs/image-factory
      comment: Image builder service for generating Talos installation media.
    - name: contrib
      url: https://github.com/siderolabs/contrib
      comment: Terraform modules and e2e cloud infrastructure for integration testing.
    # Core Libraries
    - name: crypto
      url: https://github.com/siderolabs/crypto
      comment: Certificate and key management library.
    - name: go-blockdevice
      url: https://github.com/siderolabs/go-blockdevice
      comment: Block device management (partitioning, probing).
    - name: siderolink
      url: https://github.com/siderolabs/siderolink
      comment: WireGuard tunnel for Omni connectivity.
    - name: discovery-api
      url: https://github.com/siderolabs/discovery-api
      comment: Cluster discovery protocol definitions.
    - name: discovery-client
      url: https://github.com/siderolabs/discovery-client
      comment: Cluster discovery client implementation.
    - name: go-kubernetes
      url: https://github.com/siderolabs/go-kubernetes
      comment: Kubernetes upgrade and manifest helpers.
    - name: go-talos-support
      url: https://github.com/siderolabs/go-talos-support
      comment: Support bundle collection.
    - name: kms-client
      url: https://github.com/siderolabs/kms-client
      comment: KMS (Key Management Service) client.
    - name: go-loadbalancer
      url: https://github.com/siderolabs/go-loadbalancer
      comment: In-process TCP load balancer (used by KubePrism).
    - name: net
      url: https://github.com/siderolabs/net
      comment: Networking utilities.
    - name: go-smbios
      url: https://github.com/siderolabs/go-smbios
      comment: SMBIOS/DMI hardware info parser.
    - name: go-pcidb
      url: https://github.com/siderolabs/go-pcidb
      comment: PCI device database.
    - name: grpc-proxy
      url: https://github.com/siderolabs/grpc-proxy
      comment: gRPC reverse proxy used by apid.
    - name: go-api-signature
      url: https://github.com/siderolabs/go-api-signature
      comment: API authentication and PGP-based client auth.
    # Forks (maintained patches)
    - name: coredns
      url: https://github.com/siderolabs/coredns
      comment: Fork of coredns/coredns; removes caddy and other unneeded plugins.
    - name: ethtool
      url: https://github.com/siderolabs/ethtool
      comment: Fork of mdlayher/ethtool; adds missing APIs.
    - name: wgctrl-go
      url: https://github.com/siderolabs/wgctrl-go
      comment: Fork of golang.zx2c4.com/wireguard/wgctrl; Talos-specific userspace socket location.
    # Build Infrastructure
    - name: kres
      url: https://github.com/siderolabs/kres
      comment: Repository scaffolding and CI workflow generation.
    - name: conform
      url: https://github.com/siderolabs/conform
      comment: Commit policy enforcement.
    - name: go-tools
      url: https://github.com/siderolabs/go-tools
      comment: Image signing tools.
  vulnerability-reporting:
    reports-accepted: true
    bug-bounty-available: false
    comment: >
      Please use the GitHub Security Advisory tab to report vulnerabilities.
      See SECURITY.md for full details.
    policy: https://github.com/siderolabs/talos/security/policy

repository:
  url: https://github.com/siderolabs/talos
  status: active
  accepts-change-request: true
  accepts-automated-change-request: true
  core-team:
    - name: Andrey Smirnov
      primary: true
      affiliation: Sidero Labs
    - name: Noel Georgi
      primary: true
      affiliation: Sidero Labs
    - name: Artem Chernyshev
      primary: true
      affiliation: Sidero Labs
  license:
    url: https://github.com/siderolabs/talos/blob/main/LICENSE
    expression: MPL-2.0
  security:
    assessments:
      self:
        comment: >
          Self assessment has not yet been completed.