4.2 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| main | ✅ |
Reporting a Vulnerability
- Do Not open a public issue
- Email security concerns to ismo@ivuorinen.net
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work on a fix if validated.
Security Measures
This repository implements:
- CodeQL scanning
- OWASP Dependency Check
- Snyk vulnerability scanning
- Gitleaks secret scanning
- Trivy vulnerability scanner
- MegaLinter code analysis
- Regular security updates
- Automated fix PRs
- Daily security scans
- Weekly metrics collection
Vulnerability Suppressions
This repository uses OWASP Dependency Check for security scanning. Some vulnerabilities may be suppressed if:
- They are false positives
- They affect only test/development dependencies
- They have been assessed and determined to not be exploitable in our context
Suppression File
Suppressions are managed in suppressions.xml in the root directory. Each suppression must include:
- Detailed notes explaining why the vulnerability is suppressed
- Specific identifiers (CVE, package, etc.)
- Regular review date
Adding New Suppressions
To add a new suppression:
- Add the entry to
suppressions.xml - Include detailed notes explaining the reason
- Create a PR with the changes
- Get security team review
Reviewing Suppressions
Suppressions are reviewed:
- Monthly during security scans
- When related dependencies are updated
- During security audits
Security Best Practices
When using these actions:
- Pin to commit hashes instead of tags
- Use least-privilege token permissions
- Validate all inputs
- Set appropriate timeouts
- Configure required security scanners:
- Add
suppressions.xmlfor OWASP Dependency Check - Add
.gitleaks.tomlfor Gitleaks configuration
- Add
Required Secrets
The following secrets should be configured in your repository:
| Secret Name | Description | Required |
|---|---|---|
SNYK_TOKEN |
Token for Snyk vulnerability scanning | Optional |
GITLEAKS_LICENSE |
License for Gitleaks scanning | Optional |
SLACK_WEBHOOK |
Webhook URL for Slack notifications | Optional |
SONAR_TOKEN |
Token for SonarCloud analysis | Optional |
FIXIMUS_TOKEN |
Token for automated fixes | Optional |
Security Workflows
This repository includes several security-focused workflows:
-
Daily Security Checks (
security.yml)- Runs comprehensive security scans
- Creates automated fix PRs
- Generates security reports
-
Action Security (
action-security.yml)- Validates GitHub Action files
- Checks for hardcoded credentials
- Scans for vulnerabilities
-
CodeQL Analysis (
codeql.yml)- Analyzes code for security issues
- Runs on multiple languages
- Weekly scheduled scans
-
Security Metrics (
security-metrics.yml)- Collects security metrics
- Generates trend reports
- Weekly analysis
Security Reports
Security scan results are available as:
- SARIF reports in GitHub Security tab
- Artifacts in workflow runs
- Automated issues for critical findings
- Weekly trend reports
- Security metrics dashboard
Automated Fixes
The repository automatically:
- Creates PRs for fixable vulnerabilities
- Updates dependencies with security issues
- Fixes code security issues
- Creates detailed fix documentation
Regular Reviews
We conduct:
- Daily automated security scans
- Weekly metrics analysis
- Monthly suppression reviews
- Regular dependency updates
Contributing
When contributing to this repository:
- Follow security best practices
- Do not commit sensitive information
- Use provided security tools
- Review security documentation
Support
For security-related questions:
- Review existing security documentation
- Check closed security issues
- Contact security team at ismo@ivuorinen.net
Do not open public issues for security concerns.
License
The security policy and associated tools are covered under the repository's MIT license.