21073880822
78%

Ran 16 Jan 2026 04:57PM UTC

Jobs 1

Files 293

Run time 1min

Badge

Embed ▾

Committed 16 Jan 2026 04:44PM UTC coverage: 78.395% (-0.01%) from 78.407%

Build # 21073880822

Build Type

push

github

Committed by

web-flow

Commit Message

security: disable lua scripting by default (#3830)

There is a weakness that can be abused by a default skipper installation
such that you can read arbitrary files as skipper process. It depends on
the custom installation and environment if this is actually exploitable
by untrusted people. Since 2022 we provide a detailed Lua [config
guide](https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources)
such that operators can choose how to use Lua even in less trusted
environments. For example you can use -lua-sources=file and only
operators that can provide a file accessible to the skipper process are
able to reference lua sources and execute provided scripts.

Thanks defang bo providing us a detailed report how to exploit this
vulnerability that is available by default in skipper versions <v0.23

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>

Run Details

3 of 12 new or added lines in 2 files covered. (25.0%)

24594 of 31372 relevant lines covered (78.39%)

95447.02 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
9	67.0	-0.61%	skipper.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	21073880822.1	16 Jan 2026 04:57PM UTC	293	78.39	GitHub Action Run

zalando / skipper / 21073880822
78%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Jobs

Source Files on build 21073880822

zalando / skipper / 21073880822 78%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Jobs

Source Files on build 21073880822

zalando / skipper / 21073880822
78%

README BADGES
x