From 59de03cba3f73d9058cf14a711ff3718a095850c Mon Sep 17 00:00:00 2001 From: "Jeff Parker, PE" Date: Tue, 2 Apr 2024 22:40:54 -0500 Subject: [PATCH 1/5] Add dependabot configuration --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..751bdb7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "nuget" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file From 843924b0013a99d712916daca7120be77de17454 Mon Sep 17 00:00:00 2001 From: "Jeff Parker, PE" Date: Tue, 2 Apr 2024 22:47:33 -0500 Subject: [PATCH 2/5] Add codeql --- .github/workflows/codeql.yml | 48 ++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..4dbad20 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + push: + branches: [ "dev" ] + pull_request: + branches: [ "dev" ] + schedule: + - cron: '16 12 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: 'ubuntu-latest' + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: csharp + build-mode: autobuild + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From afabdcdf95141e1d58163c6a50d15905d6740aa5 Mon Sep 17 00:00:00 2001 From: "Jeff Parker, PE" Date: Tue, 2 Apr 2024 23:02:23 -0500 Subject: [PATCH 3/5] Add security policy --- SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4be3abe --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a security vulnerability in this project, please follow these steps to report it: + +1. **Do not** create a public GitHub issue for the vulnerability. +2. Send an email to [security@eeeparker.dev](mailto:security@eeeparker.dev) with a detailed description of the vulnerability. +3. Include any relevant information, such as steps to reproduce the vulnerability or proof-of-concept code. +4. Provide your contact information so that we can follow up with you. + +## Response Timeline + +We will do our best to respond to your report in a timely manner. Here is an outline of our response process: + +- We will acknowledge your report within 7 days. +- Our team will investigate the reported vulnerability and determine its impact. +- We will work on developing a fix for the vulnerability. +- Once a fix is ready, we will release a security update. +- We will publicly acknowledge your contribution if you choose to be credited. + +## Supported Versions + +This project is actively maintained and security updates will be provided for the following versions: + +- Version 4.x.x (latest stable release) + +If you are using an older version, we recommend upgrading to the latest stable release to benefit from the latest security fixes. + +## Security Measures + +We take security seriously and have implemented the following measures to protect our users: + +- Regular code reviews and security audits. +- Secure coding practices and adherence to industry best practices. +- Continuous monitoring and vulnerability scanning of our systems. + +## Contact + +If you have any questions or concerns regarding the security of this project, please contact us at [security@example.com](mailto:security@eeparker.dev). \ No newline at end of file From 882bb2d75cd6cd32ff04759fc359d33f4db2deda Mon Sep 17 00:00:00 2001 From: "Jeff Parker, PE" Date: Tue, 2 Apr 2024 23:16:24 -0500 Subject: [PATCH 4/5] Update dependabot.yml add newline --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 751bdb7..65e1657 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,4 +8,4 @@ updates: - package-ecosystem: "nuget" directory: "/" schedule: - interval: "daily" \ No newline at end of file + interval: "daily" From 6c8ecab27c987f98ac2e038c4abc066ab7526528 Mon Sep 17 00:00:00 2001 From: "Jeff Parker, PE" Date: Tue, 2 Apr 2024 23:35:21 -0500 Subject: [PATCH 5/5] update branches --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4dbad20..90a4d02 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,9 +2,9 @@ name: "CodeQL" on: push: - branches: [ "dev" ] + branches: [ "dev", "master", "main" ] pull_request: - branches: [ "dev" ] + branches: [ "dev", "master", "main" ] schedule: - cron: '16 12 * * 6'