Security¶
Reporting a vulnerability¶
Report vulnerabilities privately via GitHub Security Advisories: Report a vulnerability ("Security" tab → "Report a vulnerability"). Do not open a public issue for anything security-sensitive.
You should get an acknowledgement within a few days. Include enough detail to reproduce — config shape, versions, logs with secrets redacted.
Supported versions¶
| Version | Supported |
|---|---|
| Latest release | yes |
main (edge container tag, :main) |
yes — fixes land here first |
| Older releases | no — upgrade to the latest release |
Data handling¶
Credentials and tokens¶
sf2loki handles Salesforce credentials (a JWT-bearer private key or a client-credentials consumer secret) and a Grafana Cloud Loki/OTLP token. All of these are secrets in scope for the reporting process above:
- Credentials are injected from
*_filepaths (mounted read-only, e.g.salesforce.private_key_file,sink.loki.auth_token_file) or${ENV}interpolation at config load — never inlined as plain config values by convention, and a missing or unreadable secret is fatal at startup rather than silently skipped. - Secrets are never written to logs, error messages, or generated config artifacts
(
config.example.yaml,docs/config-reference.md, the JSON schema) — those describe shapes and keys, never values. - The container mounts secret files read-only and runs as a non-root user (uid
10001); the secret files themselves must be readable by that uid — see Troubleshooting. .env*,*.key,*.crt, andsecrets/are gitignored and.dockerignored so they can never be baked into a locally built image.
Health endpoints¶
/healthz and /readyz are unauthenticated by design — they carry no Salesforce or Loki
data, only process liveness/readiness state, so they don't need auth to be safely exposed inside a
cluster or behind a load balancer. The shipped docker-compose.yml binds them to loopback by
default. Don't expose them to the public internet without a reason to.
PII in ingested data¶
sf2loki ships opt-in compliance controls for the Salesforce data it forwards to Loki: declarative PII transforms (hash / mask / drop field / drop row / regex) and deterministic per-type sampling. These are off by default — enabling them is the operator's responsibility based on what event types and fields are in scope for their org. See PII Redaction & Sampling for the full transform reference and recipes.
License obligations¶
sf2loki is licensed AGPL-3.0-only — free to use, modify, and self-host. The AGPL's network-use clause applies: if you run a modified version of sf2loki as a network service (including as a hosted/managed offering), you must offer the modified source to the users of that service. Running an unmodified build (including the published container image) carries no source-offer obligation beyond the license text itself.