Skip to main content
pgAgroal Enterprise docs · Security & compliance

pgAgroal Enterprise · Explanation

Security & compliance

pgAgroal Enterprise is built so that its security posture is verifiable from the outside. This page explains the controls-to-evidence map aligned with SOC 2 and ISO/IEC 27001:2022, the Vulnerability Exploitability eXchange (VEX) policy, the CVE-response and patching commitments, the signed images and attested SBOMs we ship, and how to report a vulnerability.

Elevarq aligns its engineering practices to support future SOC 2 and ISO/IEC 27001 certification. The material below is provided as engineering and audit evidence — it is designed for auditability and supports compliance readiness. It is not a claim of certification, and certification is a formal process performed by an accredited auditor.

What this covers

pgAgroal Enterprise is a closed-source control layer built on standard, unmodified upstream pgagroal. This posture covers the Enterprise layer — the operator, the control plane, and the managed image packaging. Vulnerabilities in pgagroalitself are reported and fixed upstream first, on the community's timeline. The value Elevarq adds is operational delivery: patched, signed images applied to your fleet, not earlier access to security information.

Controls-to-evidence map

Each shipped capability is mapped to the SOC 2 Trust Services Criteria (TSC) and the ISO/IEC 27001:2022 Annex A control it supports, with where the evidence lives in the product repository. The map links concrete, already-implemented controls to the criteria — it is audit and sales evidence, not a compliance assertion.

Capability (shipped)SOC 2 (TSC)ISO 27001:2022
Issue → branch → signed-commit → PR change workflow, with CI gatesCC8.1A.8.32
Signed images (cosign) and an SBOM attested to the image digestCC7.1, CC8.1A.8.28, A.8.30
CVE-response SLA, Trivy and govulncheck gates, plus a nightly scanCC7.1A.8.8
Hash-chained, tamper-evident audit log with export and verifyCC7.2, CC7.3A.8.15, A.8.16
Operator/OIDC authentication and group-based authorization (entitlements)CC6.1, CC6.3A.5.15, A.8.2, A.8.3
Cloud secrets-manager integration; no secrets in images or configCC6.1A.5.17, A.8.24
mTLS to instances; TLS posture and cert-expiry monitoringCC6.6, CC6.7A.8.20, A.8.24
Hardened managed pods (non-root, dropped capabilities, seccomp, limits)CC6.6, CC6.8A.8.20, A.8.9
Network segmentation (ingress-only NetworkPolicy)CC6.6A.8.20, A.8.22
Monitoring: dashboards, alerting rules, management-plane tracingCC7.2A.8.16
Zero-downtime rollout and PodDisruptionBudget (availability)A1.2A.5.30
Reproducible, pinned, unmodified upstream base buildCC8.1A.8.28, A.8.32
Coordinated vulnerability disclosure policyCC2.3A.5.5, A.5.24

Some capabilities support readiness but are still in progress and are not claimed as complete — for example, control-plane backup, restore, and DR tooling, health-gated upgrade and rollback automation, and policy-as-code enforcement of the controls above. The policy guardrails how-to shows how the hardening controls become enforced at admission.

Signed images and attested SBOMs

Every published image is reproducible, pinned to the upstream pgagroal version, and verifiable independently of Elevarq:

  • Signed images — cosign keyless signatures. Verify a pulled image before you run it.
  • SBOM — an SPDX SBOM is generated and attested to the image digest, so the bill of materials is bound to the exact artifact.
# Verify the cosign signature
cosign verify <image>@<digest>

# Verify the SPDX SBOM attestation bound to the digest
cosign verify-attestation --type spdxjson <image>@<digest>
Pin a released image by digest in production. Patched fixes are pushed under a new image or tag — tags are immutable and never overwritten — so a digest pin is the unambiguous reference for both deployment and audit.

CVE-response and patching commitments

The CVE-response SLA describes how the managed distribution responds to security issues in its pgagroal base. The promise is operational delivery speed after a fix exists: when a coordinated fix is public, your managed image is rebuilt, signed, SBOM'd, tested, and rolled to your fleet — you do not track pgagroal CVEs or rebuild images yourself.

Response targets are measured from when a coordinated fix or CVE is public:

  • Critical — patched image published (signed + SBOM) within 24 hours; immediate customer notification.
  • High — patched image within 72 hours; customer notification within 24 hours.
  • Medium and Low — next scheduled image; noted in release notes.

A hard rule underpins this: Elevarq never races disclosure. We do not publish a fix or CVE ahead of the upstream coordinated release, and never ship an embargoed code fix into a publicly pullable image before that release — doing so would arm attackers against everyone still on upstream. During an embargo we protect customers without revealing the bug through deployment mitigations (network isolation, hardened defaults, monitoring) and by doing the upstream legwork so the coordinated release lands sooner for everyone. CI runs Trivy (vuln, secret, config) and govulncheck on every change, plus a nightly scan; the managed image ships Trivy-clean for fixable HIGH and CRITICAL findings.

VEX policy

A Vulnerability Exploitability eXchange (VEX) document states, per vulnerability, whether the product is actually affected — so consumers do not chase findings that are present in a dependency but not exploitable in our context. Elevarq publishes a VEX alongside each Enterprise image release for any non-applicable or accepted findings, using the OpenVEX format with each statement referencing the image by digest and a CVE.

  • The managed image ships Trivy-clean for fixable HIGH and CRITICAL findings (--ignore-unfixed).
  • For findings that remain — unfixed upstream, or present but not exploitable — a per-release OpenVEX document records the status and a machine-readable justification.
  • Statuses used are not_affected, affected, fixed, and under_investigation; not_affected carries a justification from the OpenVEX controlled vocabulary (for example vulnerable_code_not_in_execute_path).

Consumers can apply the release VEX to suppress non-applicable findings in their own scanners:

# Filter a Trivy scan against the release VEX (suppresses not_affected findings)
trivy image --vex pgagroal-enterprise-<version>.vex.json <image>@<digest>

Today this is the process and template — there are no standing not_affected or affected statements to publish, because the released image is clean for fixable HIGH and CRITICAL. Live VEX documents are produced per release when a finding warrants a statement, and are signed and attached like the SBOM.

Reporting a vulnerability

Report security issues privately to security@elevarq.com. Please do not open a public GitHub issue for a suspected vulnerability. Where possible, include the affected component and version or image digest, a description and impact, and reproduction steps. Elevarq acknowledges reports and coordinates a fix and disclosure timeline with you.

Coordinated disclosure applies: for issues in upstream pgagroal we work with the maintainers and do not disclose ahead of them. Security fixes are delivered for the latest released minor of the Enterprise image, operator, and chart; older versions are supported per the customer agreement. In scope: the Enterprise operator, control plane, managed-image packaging, Helm chart, and CI/supply-chain tooling. Out of scope: upstream pgagroalinternals (report upstream) and the customer's own infrastructure and configuration.

Related