docs: add security vuln scanning to release mgmt

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
kubernetes-sigs · Jul 26, 2022 · b8c64cc · b8c64cc
1 parent 27ad239
commit b8c64cc
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/docs/book/src/release-management.md b/docs/book/src/release-management.md
@@ -44,6 +44,11 @@ This project strictly follows [semantic versioning](https://semver.org/spec/v2.0
 
 - Any `fixes` or `patches` should be merged to main and then `cherry pick` to the release branch.
 
+## Security Vulnerabilities
+
+We use [trivy](https://github.com/aquasecurity/trivy) to scan the base image for known vulnerabilities. When a vulnerability is detected and has a fixed version, we will update the image to include the fix. For vulnerabilities that are not in a fixed version, there is nothing that can be done immediately. 
+Fixable CVE patches will be part of the patch releases published **second week of every month**.
+
 ## Supported Releases
 
 Applicable fixes, including security fixes, may be cherry-picked into the release branch, depending on severity and feasibility. Patch releases are cut from that branch as needed.