-
-
Notifications
You must be signed in to change notification settings - Fork 172
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SAST security checks with SECURITY.md #178
This commit incorporates Static Analysis Security Testing (SAST) using CodeQL. This integration will enforce consistent security assessments with every change and on a predetermined schedule. This commit also involves a restructure of security checks. The existing security-checks workflow is renamed to better reflect its functionality related to dependency audits. These changes will enhance the project's resilience against potential vulnerabilities in both the codebase and third-party dependencies. Changes include: - Remove older LGTM badge that's replaced by SAST checks. - Rename `checks.security.yaml` to `checks.security.dependencies.yaml`, reinforcing the focus on dependency audits. - Update `README.md`, ensuring the clear representation of security check statuses, including new SAST integration. - Add new `SECURITY.md`, establishing the protocol for reporting vulnerabilities and outlining the project's commitment to robust security testing. - Enhance `docs/tests.md` with detailed information on the newly integrated security checks. - Add reference to SECURITY.md in README.md.
- Loading branch information
1 parent
7669985
commit 3e5239f
Showing
5 changed files
with
97 additions
and
15 deletions.
There are no files selected for viewing
2 changes: 1 addition & 1 deletion
2
.github/workflows/checks.security.yaml → ...rkflows/checks.security.dependencies.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
name: security-checks | ||
name: checks.security.dependencies | ||
|
||
on: | ||
push: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
name: checks.security.sast | ||
|
||
on: | ||
push: | ||
pull_request: | ||
schedule: | ||
- cron: '0 0 * * 0' # at 00:00 on every Sunday | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ubuntu-latest | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
language: [ | ||
javascript # analyzes code written in JavaScript, TypeScript and both. | ||
] | ||
|
||
steps: | ||
- | ||
name: Checkout | ||
uses: actions/checkout@v3 | ||
- | ||
name: Initialize CodeQL | ||
uses: github/codeql-action/init@v2 | ||
with: | ||
languages: ${{ matrix.language }} | ||
queries: +security-and-quality | ||
- | ||
name: Autobuild | ||
uses: github/codeql-action/autobuild@v2 | ||
- | ||
name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v2 | ||
with: | ||
category: "/language:${{ matrix.language }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Security Policy | ||
|
||
privacy.sexy takes security seriously. Commitment is made to address all security issues with urgency. Responsible reporting of any discovered vulnerabilities in the project is highly encouraged. | ||
|
||
## Reporting a Vulnerability | ||
|
||
Efforts to responsibly disclose findings are greatly appreciated. To report a security vulnerability, follow these steps: | ||
|
||
- For general vulnerabilities, [open an issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose) using the bug report template. | ||
- For sensitive matters, [contact the developer directly](https://undergroundwires.dev). | ||
|
||
## Security Report Handling | ||
|
||
Upon receipt of a security report, the following actions will be taken: | ||
|
||
- The report will be confirmed, identifying the affected components. | ||
- The impact and severity of the issue will be assessed. | ||
- Work on a fix and plan a release to address the vulnerability will be initiated. | ||
- The reporter will be kept updated about the progress. | ||
|
||
## Testing | ||
|
||
Regular and extensive testing is conducted to ensure robust security in the project. Information about testing practices can be found in the [Testing Documentation](./docs/tests.md). | ||
|
||
## Support | ||
|
||
For additional assistance or any unanswered questions, [submit a GitHub issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose). Security concerns are a priority, and necessary support to address them is assured. | ||
|
||
--- | ||
|
||
Active contribution to the safety and security of privacy.sexy is thanked. This collaborative effort keeps the project resilient and trustworthy for all. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters