Last Updated: January 18, 2026
Security Overview
ChangeGuard is built for infrastructure teams who need strong controls and clear boundaries. A Kubernetes Operator deploys into your cluster and manages all security components via a single CRD.
Outbound-only connectivity: The agent initiates outbound TLS 1.2+ connections to the ChangeGuard control plane. We do not require inbound network access into your cluster.
Security Scanning Stack
ChangeGuard manages five open-source security tools as Kubernetes-native workloads — no external infrastructure required:
- KubeBench — CIS Kubernetes Benchmark scanning (CronJob, every 6h). Validates cluster configuration against CIS hardening guidelines.
- Grype — Container image CVE scanning (CronJob, every 4h). Detects known vulnerabilities in all running images.
- Falco — Runtime threat detection (DaemonSet on every node). eBPF-based syscall monitoring detects process execution anomalies, privilege escalation, container escapes, and suspicious network activity in real time.
- Pluto — Deprecated API detection (CronJob, every 12h). Prevents Kubernetes upgrade failures by finding resources using removed API versions.
- Syft — SBOM generation (CronJob, every 8h). Produces CycloneDX or SPDX Software Bill of Materials for every container image — required for EO 14028, SOC 2, and FedRAMP compliance.
Identity & Access Risk Analysis
ChangeGuard builds a graph-based model of every identity in your cluster — ServiceAccounts, Users, and Groups — mapping their role bindings, permissions, and blast radius. The analyzer detects:
- cluster-admin bindings (full cluster compromise risk)
- Wildcard permissions (unrestricted access)
- Secrets read access (credential theft risk)
- Privilege escalation paths (can create RoleBindings)
- Cross-namespace reach (namespace SA with cluster-wide access)
- Default ServiceAccount abuse (every pod inherits overprivileged permissions)
Data Minimization
ChangeGuard does not collect Kubernetes Secrets values, full workload manifests, or application data. The agent collects metadata only — resource names, labels, status, RBAC rules, and scan results. You control what the agent can access via Kubernetes RBAC and the ChangeGuardAgent CRD configuration.
Encryption
- In transit: TLS 1.2+ for all agent → backend communication. Gzip compressed payloads.
- At rest: PostgreSQL with AES-256 encryption (AWS-managed keys). Scan results encrypted at rest.
Access Controls
- Least privilege: The operator's ClusterRole grants only read access to resources, RBAC, and metrics. Falco requires privileged access for eBPF syscall monitoring on each node.
- API key auth: Agent and CI/CD connections use bcrypt-hashed API keys with prefix-based lookup. Scoped to agent or cicd roles.
- Session auth: Dashboard access uses 8-hour tokens with auto-refresh. Password change enforced via secure modal.
- Multi-tenancy: Full tenant isolation verified across all 50+ API handlers. Tenant ID enforced on every query.
- Audit trail: Every authentication, deployment decision, and configuration change is logged with timestamp, user, IP, and outcome.
Secure Development
- Dependency management and vulnerability monitoring
- Patch and update process for security releases
- Principle-of-least-privilege defaults and safe failure modes where possible
Alerting & Integrations
- Daily fleet digest: Automatic morning summary via Slack or Teams — fleet-wide CSC average, per-cluster scores, critical CVE count, and Falco alert count. Keeps security visible without opening the dashboard.
- Webhook events: Configurable webhooks fire on score drops, critical CVEs, Falco alerts, and other events. HMAC-SHA256 signed payloads. Wire to PagerDuty, Jira, OpsGenie, or any HTTP endpoint.
- Fleet comparison: Multi-cluster executive view shows side-by-side CSC scores, CVE counts, Falco alerts, CIS failures, and RBAC risks across your entire fleet. Sorted worst-first.
- Shift-left CLI: Validates YAML, Helm charts, and Kustomize overlays against live cluster state before deploy. Checks images against CVE data, verifies RBAC permissions, and flags missing network policies.
Customer Responsibilities
Because the agent runs in your environment, you control its deployment and configuration. You are responsible for:
- Securing your Kubernetes cluster and underlying cloud or on-prem infrastructure
- Configuring RBAC, network policies, and secrets management for the agent
- Reviewing change workflows and approvals consistent with your policies
Reporting Security Issues
If you believe you have found a security issue, please contact us via the Contact page with details so we can investigate.