๐ We will do our best to our knowledge to provide maximum security when you're using our open-sourced projects.
If you are looking for just reporting an issue process, move quickly to reporting section.
โ๏ธ We are using the following SAST tools/services in our projects to maintain the security aspect:
| Tool / Service | Purpose | Usage |
|---|---|---|
| CodeQL | Analysis engine to automate security checks, and to perform variant analysis. | GitHub Actions* workflows: ci-cd*, scheduled* |
| DeepScan | Analyze JavaScript projects which targets runtime errors and quality issues. | Installed GitHub Apps* - DeepScan app |
| GitGuardian | Scan source code to detect API keys, passwords, certificates, encryption keys and other sensitive data. | Installed Github Apps* - GitGuardian app; GitHub Actions* workflows: ci-cd*, scheduled* |
| LGTM | Code analysis platform for finding zero-days and preventing critical vulnerabilities. | Installed GitHub Apps* - LGTM app |
| Snyk | Vulnerability scanner for project codebase. | Installed Github Apps* - Snyk app; GitHub Actions* workflows: ci-cd*, scheduled* |
| SonarCloud | Detects Security Vulnerabilities, Bugs & Code Smells, and provides clear remediation guidance to help fix issues in code. | Installed GitHub Apps* - SonarCloud app |
In order to ensure that our project depedencies stay up to date and are secure, we use the following tools/services:
| Tool/service | Purpose | Usage |
|---|---|---|
| Deadpendency | Automated checks on projects dependencies remain healthy over time. | Installed GitHub Apps* - Deadpendency app |
| Renovate | Automated dependencies updates in projects. | Installed GitHub Apps* - Renovate app |
It is configured with GitHub Actions workflows inside the public repositories
of our GitHub organisation - in the directory ./.github/workflows.
It is configured in ./.github/workflows/ci-cd.yml workflow file.
It runs on every push or pull request action to the main branch.
It is configured in ./.github/workflows/scheduled.yml workflow file.
It runs on the main branch, on specified period (not longer than
once a week).
The application is installed within our organisation with access to our public
repositories.
It runs on every push or pull request.
๐ค We intend not to break any of your digital privacy rights on our
projects.
That means:
- no abusive tracking practices,
- no third-party trackers,
- no friggin Facebook pixel,
- no Google Analytics,
- or whatever else exists these days.
We all want to feel safe on the internet. As well as have our privacy respected.
"Let's be humans, not products".
๐ If you have found a security issue or have any concerns or doubts regarding
privacy rights, please get in touch with us.
There are possible options (the first one is recommended):
- Create GitHub's Security Advisory in the specific project repository
where the security issue exists (in the
Securitytab/pane). - Traditionally, via email: [email protected].
- Reach out to users with
AdministratororMaintainerrole on our Discord server.
-
๐๏ธ Our team should acknowledge your report within 7 days (we are a small team).
-
๐ต๏ธ The team will investigate and update the issue with relevant information.
- โ If the team does NOT confirm the report, no further action will be taken by us. We will be sure to inform you regarding this result.
- โ
If the team confirms the report, the team will take action to fix
it immediately:
- Commits will be handled in a private repository for review and testing.
- Release a new patch version from the private repository.
- Write an announcement post disclosing the vulnerability.