Reduce Risk to Your Supply Chain with Verified Open-Source Packages
Stay on top of security and compliance with Weave GitOps Assured - a certified distribution of all Flux plus extensions and patches. You receive alerts when your system needs care, so you can keep systems and builds to date with patches and updates for the whole Flux and Weave ecosystem.
We are reaching out to all our community of end users, customers, and partners who use FluxCD or any Weave OSS and Flux integrations. Over the past weeks, the CNCF Flux project had Critical Vulnerability Exceptions (CVEs) that we have helped patch and made available in full, secure builds that are drop-in replacement for your current Flux.
Why are critical vulnerabilities appearing?
As Flux has matured, the ecosystem has grown in complexity. From Flux 2.0 GA, the maintainers are focusing on stable regular releases but also rely on additional upstream dependencies, extensions, and integrations. While the maintainers can patch CNCF Flux itself, they are often not resourced to create multiple distributions of Flux whenever an upstream component has a CVE.
This leaves end users to roll out patches and builds by themselves, often an error-prone task that’s hard to verify. The ever-growing supply chains make the job of tracking every package CVE represents a significant effort and risk for an organization. The CNCF community is unable to patch all builds immediately, so Weaveworks stepped in to provide robust open-source software components.
Here is an example of addressing Critical Vulnerabilities in Flux Build for Secure Path CVE:
Patching for CVE: We are actively mitigating critical vulnerabilities, notably the Secure Path CVE, which predominantly affects Windows systems. This has been addressed in the Flux CLI, and we're now focusing on strengthening our controllers against potential flags in CVE scanners.
Go Version Update: With vulnerabilities identified in the Go standard library, our transition to Go 1.20 is underway to bolster the security of all Flux components.
flux bootstrap flag --assured
flux bootstrap github --owner=$GITHUB_USER --repository=
--branch=main--path=clusters/my-cluster --personal --assured
Revolutionize Your Platform Engineering Practice with Weave GitOps
An internal developer platform (IDP) enables self-service developer experience to deliver software faster and with better quality and hybrid cloud management, built-in compliance, and zero-trust security.Learn more
What can you do to mitigate interruptions proactively?
Weave GitOps Assured offers a certified distribution of all Flux plus extensions and patches. You receive alerts when your system needs care, so you can keep systems and builds to date with patches and updates for the whole Flux and Weave ecosystem.
Using open-source software embodies transparency and innovation. However, the authenticity of binaries reflecting the source code is paramount. With Weave Gitops Assured, we provide our accountability promise: that we guarantee our open-source software builds are secure, verifiable, and free from hidden anomalies. Ensuring customers meet both their organization's internal and regulatory requirements with the software we deliver. Our Weaveworks support team is here for you 24/7/365. All CVE patches are available under an ‘asap’ SLA and will be maintained by Weaveworks who will also take responsibility for offering fixes upstream into the CNCF community.
The key benefits of bitstream assurance are:
- Ensuring Trustworthiness: Confirms no tampering, boosting confidence in the software's authenticity.
- Boosting Security: Guarantees no hidden vulnerabilities or backdoors.
- Facilitating Compliance: Helps meet audit and regulation requirements, crucial for regulated industries.
- Promoting Reproducibility: Ensures that the binary can be reliably reproduced from its source.
- Mitigating Risk: Reduces chances of deploying software with non-transparent elements.
- Securing the Supply Chain: Adds a layer of trust in the software delivery process, vital in today's cyber landscape.
- Highlighting Transparency: Offers users confidence that the binary transparently mirrors the open-source code.
- Encouraging OSS Adoption: Alleviates concerns and bolsters confidence in adopting OSS.
- Holding Vendors Accountable: By using Weave GitOps Assured, we take responsibility for ensuring the integrity of the software.
In essence, Weave GitOps Assurance acts as a crucial bridge between the transparency of source code and the trust users need in their software.
See a demo and ask questions at our next office hour: Wednesday, Oct 18, 2023 at 10am PT.