We actively support the latest version of Azure Kubernetes Credential Loader with security updates.

This tool legitimately uses Python's subprocess module to execute:

• Azure CLI (az) commands
• kubectl commands
• kubelogin commands

Security Measures:

• ✅ All commands use controlled argument arrays (no shell injection)
• ✅ No shell=True parameter used
• ✅ No user input directly passed to subprocess calls
• ✅ All command arguments are validated internally
• ✅ Commands are hardcoded (az, kubectl, kubelogin)

• Uses existing Azure CLI authentication (az login)
• No credentials are stored or handled by this tool
• All authentication is delegated to Azure CLI and kubelogin

• Only communicates with official Azure APIs through Azure CLI
• No direct network connections made by this tool
• All requests go through authenticated Azure CLI sessions

If you discover a security vulnerability, please:

1. DO NOT open a public issue
2. Email the maintainers with details
3. Allow reasonable time for response and patching
4. Provide clear reproduction steps if possible

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested mitigation (if known)

• Initial response: Within 48 hours
• Status update: Within 1 week
• Resolution timeline: Communicated after assessment

This project uses:

• Bandit for Python security analysis
• GitHub Security Advisories for dependency scanning
• Manual security reviews for all pull requests

# Install bandit
pip install bandit

# Run security scan
bandit -r src/ -c pyproject.toml

# Check dependencies (if any)
pip install safety
safety check

1. Always use --dry-run first to preview actions
2. Ensure you're logged into the correct Azure account
3. Review the list of subscriptions that will be processed
4. Backup your existing ~/.kube/config if important

# Safe workflow
az login                                             # Authenticate first
./aks-credential-loader --dry-run                  # Preview actions
./aks-credential-loader --verbose                  # Run with logging
kubectl config get-contexts                         # Verify results

• ❌ Store or transmit credentials
• ❌ Modify Azure resources
• ❌ Execute arbitrary commands
• ❌ Access sensitive data beyond cluster names/locations
• ❌ Make network connections outside of Azure CLI

• ✅ Discovers AKS clusters via Azure CLI
• ✅ Downloads cluster access configurations
• ✅ Updates local kubectl configuration
• ✅ Configures Azure CLI authentication for clusters

This security policy is provided under the same license as the project.