diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..65e1657 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "nuget" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..90a4d02 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + push: + branches: [ "dev", "master", "main" ] + pull_request: + branches: [ "dev", "master", "main" ] + schedule: + - cron: '16 12 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: 'ubuntu-latest' + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: csharp + build-mode: autobuild + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4be3abe --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a security vulnerability in this project, please follow these steps to report it: + +1. **Do not** create a public GitHub issue for the vulnerability. +2. Send an email to [security@eeeparker.dev](mailto:security@eeeparker.dev) with a detailed description of the vulnerability. +3. Include any relevant information, such as steps to reproduce the vulnerability or proof-of-concept code. +4. Provide your contact information so that we can follow up with you. + +## Response Timeline + +We will do our best to respond to your report in a timely manner. Here is an outline of our response process: + +- We will acknowledge your report within 7 days. +- Our team will investigate the reported vulnerability and determine its impact. +- We will work on developing a fix for the vulnerability. +- Once a fix is ready, we will release a security update. +- We will publicly acknowledge your contribution if you choose to be credited. + +## Supported Versions + +This project is actively maintained and security updates will be provided for the following versions: + +- Version 4.x.x (latest stable release) + +If you are using an older version, we recommend upgrading to the latest stable release to benefit from the latest security fixes. + +## Security Measures + +We take security seriously and have implemented the following measures to protect our users: + +- Regular code reviews and security audits. +- Secure coding practices and adherence to industry best practices. +- Continuous monitoring and vulnerability scanning of our systems. + +## Contact + +If you have any questions or concerns regarding the security of this project, please contact us at [security@example.com](mailto:security@eeparker.dev). \ No newline at end of file