Currently, the following versions of Keycloak Configuration Drive (kcd) are supported with security updates:

If you discover a potential security vulnerability in kcd, please do not open a public issue. Instead, report it privately to the maintainers:

• Fabio Falcinelli: fabio.falcinelli@gmail.com

We aim to acknowledge receipt of your report as soon as possible (typically within a few business days). Please note that while we take security seriously, we are a community-maintained project and cannot guarantee a specific resolution timeframe. We will provide updates as we investigate the issue and work toward a fix.

To help us address the issue quickly, please include:

• A clear description of the vulnerability.
• A minimal reproducible example (PoC) if possible.
• Any potential impact or exploitation scenarios.

kcd interacts with the Keycloak Admin API and manages sensitive configuration data. To ensure your usage remains secure:

1. Principle of Least Privilege: Ensure that the Keycloak client or user credentials used by kcd only have the minimum necessary permissions to manage the target realm.
2. Secret Management: kcd automatically masks detected secrets in local YAML configurations and stores them in a separate .secrets file. Do not commit .secrets files to version control.
3. Environment Variables: Protect environment variables containing Keycloak credentials (e.g., KEYCLOAK_CLIENT_SECRET) used by kcd.
4. Keep kcd Updated: Ensure you are using the latest version of kcd to benefit from upstream security fixes.

We follow a responsible disclosure policy:

1. Acknowledge the report.
2. Investigate and confirm the vulnerability.
3. Work on a fix.
4. Release a new version with the fix.
5. Publicly disclose the vulnerability (e.g., via GitHub Security Advisories) after a fix is available and users have had time to update.