Parca Agent requires to be run as root user (or CAP_SYS_ADMIN). Various security precautions have been taken to protect users running Parca Agent.
Parca Agent binaries and container image build processes have been specifically designed to be byte-by-byte reproducible.
- Go dependencies are pinned via
go.modandgo.sum, ensuring Go dependencies to be byte-by-byte reproducible. - Build tool and shared library versions are pinned everywhere in the repository. And updates are handled by Renovate bot.
- Build tool and pipeline are configured to produce reproducible binaries. Details can be found in tool configuration file.
- libbpf is included and versioned in this repository via a git submodule.
Parca Agent uses BPF CO-RE (Compile Once – Run Everywhere) using libbpf, and pre-compiles all BPF programs, and statically embeds them in the target binary, from where it is loaded via libbpf when used. This means that Parca Agent does not need to compile the BPF program at startup or runtime like when using bcc-tools, meaning no Clang & LLVM, nor kernel headers need to be installed on the host. The only requirement is a BTF capable Kernel (Linux Kernel 4.18+).
The resulting Go binary is statically linked. It does not depend on any external shared object dependencies.
libbpf is also statically compiled and included in the resulting Go binary. Fewer things required equals a smaller attack surface.
The binary statically links all the required libraries:
- libpthread (Needed by Go runtime)
- libelf (Needed by libbpf)
- libz (Needed by libbpf)
Read more on CO-RE and libbpf:
- BPF binaries: BTF, CO-RE, and the future of BPF perf tools - Brendan Gregg
- BPF Portability and CO-RE - Andrii Nakryiko
We provide signatures of release artifacts via sigstore. See parca-dev/parca-agent#16 for more details. And also see the default registry for the signatures: ghrc.io/parca-dev/parca-agent
Parca Agent uses automated code scanning to analyze the code in Parca Agent repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in review process, thanks to CodeQL.
Parca Agent supply chain uses Renovate and Dependabot to constantly keep the dependencies up-to-date against any security vulnerabilities.
As with any complex system, it is near certain that bugs will be found, some of them security-relevant. If you find a security bug, please report it privately to the [email protected] mailing list. We will fix the issue as soon as possible and coordinate a release date with you. You will be able to choose if you want public acknowledgement of your effort and if you want to be mentioned by name.
Parca is maintained by volunteers, not by a company. Therefore, fixing security issues is done on a best-effort basis. We strive to release security fixes within 7 days.