If you discover a security issue in KubeDojo's content (e.g., a command that could be harmful, credentials in examples, or a misconfigured exercise), please report it by:
- Opening a GitHub issue with the label "security"
- Or emailing the maintainers directly
KubeDojo is primarily educational content (markdown modules), but the repository also has a CI/build pipeline and an npm dependency supply chain (Astro/Starlight site build). Security concerns include:
- Commands or YAML examples that could be harmful if copy-pasted
- Accidental inclusion of real credentials or tokens in examples
- Links to malicious external resources
- Compromised or malicious npm dependencies and lockfile tampering
- GitHub Actions workflow misconfiguration
There is no production application backend or learner user data stored in this repo.
Miasma-class npm supply-chain defenses are tracked in issue #1812.
- Maintainers: docs/security/detection-runbook.md — what each control detects and how to triage CI failures
- Developers: docs/security/local-dev-supply-chain.md —
.npmrcscript blocking, local rebuild, token hygiene
- All example credentials use placeholder values (
my-secret,changeme,example.com) - No real API keys, tokens, or passwords are included
- External links are reviewed for legitimacy