If you discover a security vulnerability within Logsenta, please send an email to devopsarts@gmail.com. All security vulnerabilities will be promptly addressed.

Please include the following information:

• Type of vulnerability
• Full paths of source file(s) related to the vulnerability
• Steps to reproduce
• Potential impact

DO NOT include real credentials in values files. Always use --set flags or external secret management:

# Good: Pass credentials at deploy time
helm install logsenta-engine logsenta/logsenta-engine \
  --set connections.postgresql.username=$DB_USER \
  --set connections.postgresql.password=$DB_PASSWORD

# Bad: Hardcoded in values.yaml
# connections:
#   postgresql:
#     password: "mypassword123"  # NEVER DO THIS

For production, use external secret management solutions:

• Kubernetes External Secrets: Sync secrets from AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
• HashiCorp Vault: Use Vault Agent Injector
• Sealed Secrets: Encrypt secrets for Git storage

Example with External Secrets Operator:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: logsenta-db-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: azure-key-vault
    kind: SecretStore
  target:
    name: logsenta-engine-credentials
  data:
    - secretKey: postgresql-password
      remoteRef:
        key: logsenta-db-password

Restrict pod-to-pod communication:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: logsenta-engine-policy
  namespace: logsenta
spec:
  podSelector:
    matchLabels:
      app: logsenta-engine
  policyTypes:
    - Ingress
    - Egress
  egress:
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: TCP
          port: 443  # Kubernetes API
    - to:
        - podSelector:
            matchLabels:
              app: postgresql
      ports:
        - protocol: TCP
          port: 5432

Enable Pod Security Standards (PSS):

# In values.yaml
podSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000
  seccompProfile:
    type: RuntimeDefault

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

The default RBAC configuration grants only necessary permissions:

• get, list, watch on pods (for log streaming)
• get, list, watch on namespaces (for namespace discovery)
• create, get, update on leases (for leader election)

Do not grant cluster-admin or overly permissive roles.

Always enable TLS for database connections in production:

connections:
  postgresql:
    ssl:
      enabled: true
      mode: "verify-full"
      # Mount CA certificate

• Use specific image tags, not latest
• Scan images for vulnerabilities
• Use signed images when available

image:
  repository: devopsart1/logsenta-engine
  tag: "0.4.3"  # Specific version, not "latest"
  pullPolicy: IfNotPresent

Always set resource limits to prevent DoS:

resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 100m
    memory: 256Mi

Enable Kubernetes audit logging to track API access to logsenta resources.

Keep the Helm chart and container images updated to receive security patches.

1. Input Sanitization: All log lines are sanitized before storage
2. No Credential Logging: Credentials are never logged
3. TLS Enforcement: Cloud backends (Azure, AWS, GCP) use TLS by default
4. Non-root Container: Runs as non-root user by default
5. Read-only Filesystem: Minimal writable paths
6. Secret References: Credentials loaded from Kubernetes secrets, never hardcoded

• GDPR: Log data may contain PII. Implement appropriate retention policies.
• SOC 2: Enable audit logging and access controls.
• HIPAA: Ensure database backends are HIPAA-compliant if handling PHI.

For security concerns: security@devopsarts.io