argoproj/argo-cd
Security
Argo CD has a non-trivial trust boundary: it holds Git credentials, Kubernetes credentials for many clusters, OIDC client secrets, RBAC policy, and signing keys. This page summarizes the relevant code and policy paths.
Disclosure
SECURITY.md and SECURITY_CONTACTS describe the responsible disclosure process. Vulnerabilities go through GitHub Security Advisories on argoproj/argo-cd.
OpenSSF / supply-chain artifacts:
SECURITY-INSIGHTS.yml— the OpenSSF Security Insights manifest..snyk,hack/snyk-*.sh— Snyk policy and helper scripts..github/workflows/codeql.yml— CodeQL static analysis..github/workflows/scorecard.yaml— OpenSSF Scorecard.- The README's badges link to the CII Best Practices and OpenSSF Scorecard scores.
Trust boundaries
graph LR
User[User / CI] -->|JWT| Server[argocd-server]
Server -->|gRPC| Repo[argocd-repo-server]
Server -->|gRPC| AppCtrl[argocd-application-controller]
Server -->|OIDC| Dex[argocd-dex]
Repo -->|Git/Helm/OCI creds| Source[(External source)]
AppCtrl -->|cluster creds| Cluster[(Destination clusters)]
AppCtrl -->|Redis| Cache[(Redis)]Each arrow is a place where credentials cross a process boundary. The relevant code:
- JWT verification —
util/jwt/,util/session/. RBAC enforcement:util/rbac/,server/rbacpolicy/. - OIDC —
util/oidc/oidc.go. CSRF and PKCE handled in the same file. - Git/Helm/OCI auth —
util/git/creds.go,util/helm/creds.go,util/oci/. - GnuPG signature checks —
util/gpg/and watchers inreposerver/gpgwatcher.go. - Cluster auth —
util/clusterauth/,util/workloadidentity/, plus the standaloneargocd-k8s-authbinary. - TLS —
util/tls/. All gRPC services support mTLS; the dev mode disables it. - Path traversal guards —
util/security/path_traversal.gois used wherever the repo server resolves a relative path inside a checked-out repo. - JWT subject security —
util/security/jwt.govalidates token subjects against expected formats.
Casbin RBAC
The Casbin engine in util/rbac/rbac.go evaluates the policy in argocd-rbac-cm. The enforcer is wrapped by server/rbacpolicy/ to add Argo CD-specific resource/action vocabulary. RBAC denials produce gRPC PERMISSION_DENIED errors.
The default policy is conservative: anonymous users have no permissions; the admin user has full access; everything else must be granted explicitly.
Project boundaries
AppProject constrains what an Application within the project can do (allowed sources, destinations, resource kinds, signature keys, sync windows). See primitives/appproject. Many CVEs in Argo CD's history have involved bypasses of these constraints; the validation code lives in util/argo/argo.go and controller/state.go.
Path traversal and repo isolation
util/security/path_traversal.go is the canonical helper for clamping any user-provided path inside a repo working tree. It is used in:
reposerver/repository/repository.gowhen resolvingsource.pathand HelmvalueFiles.applicationset/generators/git.gowhen listing Git directories/files.- The CMP plugin tar streaming in
util/cmp/.
The --allow-out-of-bounds-symlinks repo-server flag exists for compatibility but is unsafe and not recommended.
Cookies and CSRF
The web UI session cookie is Secure, HttpOnly, and uses SameSite=Lax. CSRF tokens are issued by util/oidc/oidc.go for the OIDC flow.
Secrets handling
- Credentials are never logged. The repo server uses
util/argo/audit_logger.gofor audit-quality logs that explicitly avoid printing creds. - The CLI never persists OIDC tokens to disk in plaintext when a credential helper is configured.
- Initial admin password is generated and stored in
argocd-initial-admin-secret;argocd admin initial-passwordretrieves it.
Webhook authenticity
util/webhook/webhook.go verifies provider-specific HMAC signatures (X-Hub-Signature for GitHub, X-Gitlab-Token for GitLab, …) against the secret in argocd-secret. Invalid webhooks are dropped with a 401.
CVEs and changelog
docs/snyk/ holds Snyk reports per release. docs/operator-manual/upgrading/ documents security-relevant upgrade notes.
See also
- features/sso-and-rbac — the authorization story end-to-end.
- primitives/appproject — multi-tenant boundaries.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.