Open-Source Wikis

/

Argo CD

/

Security

argoproj/argo-cd

Security

Argo CD has a non-trivial trust boundary: it holds Git credentials, Kubernetes credentials for many clusters, OIDC client secrets, RBAC policy, and signing keys. This page summarizes the relevant code and policy paths.

Disclosure

SECURITY.md and SECURITY_CONTACTS describe the responsible disclosure process. Vulnerabilities go through GitHub Security Advisories on argoproj/argo-cd.

OpenSSF / supply-chain artifacts:

  • SECURITY-INSIGHTS.yml — the OpenSSF Security Insights manifest.
  • .snyk, hack/snyk-*.sh — Snyk policy and helper scripts.
  • .github/workflows/codeql.yml — CodeQL static analysis.
  • .github/workflows/scorecard.yaml — OpenSSF Scorecard.
  • The README's badges link to the CII Best Practices and OpenSSF Scorecard scores.

Trust boundaries

graph LR
    User[User / CI] -->|JWT| Server[argocd-server]
    Server -->|gRPC| Repo[argocd-repo-server]
    Server -->|gRPC| AppCtrl[argocd-application-controller]
    Server -->|OIDC| Dex[argocd-dex]
    Repo -->|Git/Helm/OCI creds| Source[(External source)]
    AppCtrl -->|cluster creds| Cluster[(Destination clusters)]
    AppCtrl -->|Redis| Cache[(Redis)]

Each arrow is a place where credentials cross a process boundary. The relevant code:

  • JWT verificationutil/jwt/, util/session/. RBAC enforcement: util/rbac/, server/rbacpolicy/.
  • OIDCutil/oidc/oidc.go. CSRF and PKCE handled in the same file.
  • Git/Helm/OCI authutil/git/creds.go, util/helm/creds.go, util/oci/.
  • GnuPG signature checksutil/gpg/ and watchers in reposerver/gpgwatcher.go.
  • Cluster authutil/clusterauth/, util/workloadidentity/, plus the standalone argocd-k8s-auth binary.
  • TLSutil/tls/. All gRPC services support mTLS; the dev mode disables it.
  • Path traversal guardsutil/security/path_traversal.go is used wherever the repo server resolves a relative path inside a checked-out repo.
  • JWT subject securityutil/security/jwt.go validates token subjects against expected formats.

Casbin RBAC

The Casbin engine in util/rbac/rbac.go evaluates the policy in argocd-rbac-cm. The enforcer is wrapped by server/rbacpolicy/ to add Argo CD-specific resource/action vocabulary. RBAC denials produce gRPC PERMISSION_DENIED errors.

The default policy is conservative: anonymous users have no permissions; the admin user has full access; everything else must be granted explicitly.

Project boundaries

AppProject constrains what an Application within the project can do (allowed sources, destinations, resource kinds, signature keys, sync windows). See primitives/appproject. Many CVEs in Argo CD's history have involved bypasses of these constraints; the validation code lives in util/argo/argo.go and controller/state.go.

Path traversal and repo isolation

util/security/path_traversal.go is the canonical helper for clamping any user-provided path inside a repo working tree. It is used in:

  • reposerver/repository/repository.go when resolving source.path and Helm valueFiles.
  • applicationset/generators/git.go when listing Git directories/files.
  • The CMP plugin tar streaming in util/cmp/.

The --allow-out-of-bounds-symlinks repo-server flag exists for compatibility but is unsafe and not recommended.

Cookies and CSRF

The web UI session cookie is Secure, HttpOnly, and uses SameSite=Lax. CSRF tokens are issued by util/oidc/oidc.go for the OIDC flow.

Secrets handling

  • Credentials are never logged. The repo server uses util/argo/audit_logger.go for audit-quality logs that explicitly avoid printing creds.
  • The CLI never persists OIDC tokens to disk in plaintext when a credential helper is configured.
  • Initial admin password is generated and stored in argocd-initial-admin-secret; argocd admin initial-password retrieves it.

Webhook authenticity

util/webhook/webhook.go verifies provider-specific HMAC signatures (X-Hub-Signature for GitHub, X-Gitlab-Token for GitLab, …) against the secret in argocd-secret. Invalid webhooks are dropped with a 401.

CVEs and changelog

docs/snyk/ holds Snyk reports per release. docs/operator-manual/upgrading/ documents security-relevant upgrade notes.

See also

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – Argo CD wiki | Factory