We provide security fixes for the latest released version of each chart. Older versions are not actively maintained.
If you discover a security vulnerability in any HelmForge chart, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, use one of the following methods:
- GitHub Security Advisories (preferred): Report a vulnerability
- Email: berlofa@helmforge.dev or maicon.berloffa@gmail.com
- Chart name and version affected
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
- Acknowledgment: within 72 hours
- Initial assessment: within 7 days
- Fix or mitigation: best effort, typically within 30 days depending on severity
This policy covers vulnerabilities in:
- Helm chart templates and default configurations
- CI/CD workflows in this repository
- Default
values.yamlsettings that introduce security risks
This policy does not cover:
- Vulnerabilities in upstream application images (report those to the upstream project)
- Misconfiguration by end users in their own
values.yamloverrides - Infrastructure or cluster-level security issues
When deploying HelmForge charts in production:
- Always pin chart versions (
--version) - Review
values.yamldefaults before deploying - Use
securityContextandpodSecurityContextsettings provided by each chart - Enable network policies where your cluster supports them
- Use TLS for ingress endpoints
- Rotate credentials and secrets regularly