Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Policy, scanning and dependency updates #176

Merged
merged 5 commits into from
Apr 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "daily"
48 changes: 48 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: "CodeQL"

on:
push:
branches: [ "dev", "master", "main" ]
pull_request:
branches: [ "dev", "master", "main" ]
schedule:
- cron: '16 12 * * 6'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: csharp
build-mode: autobuild
steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
40 changes: 40 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in this project, please follow these steps to report it:

1. **Do not** create a public GitHub issue for the vulnerability.
2. Send an email to [[email protected]](mailto:[email protected]) with a detailed description of the vulnerability.
3. Include any relevant information, such as steps to reproduce the vulnerability or proof-of-concept code.
4. Provide your contact information so that we can follow up with you.

## Response Timeline

We will do our best to respond to your report in a timely manner. Here is an outline of our response process:

- We will acknowledge your report within 7 days.
- Our team will investigate the reported vulnerability and determine its impact.
- We will work on developing a fix for the vulnerability.
- Once a fix is ready, we will release a security update.
- We will publicly acknowledge your contribution if you choose to be credited.

## Supported Versions

This project is actively maintained and security updates will be provided for the following versions:

- Version 4.x.x (latest stable release)

If you are using an older version, we recommend upgrading to the latest stable release to benefit from the latest security fixes.

## Security Measures

We take security seriously and have implemented the following measures to protect our users:

- Regular code reviews and security audits.
- Secure coding practices and adherence to industry best practices.
- Continuous monitoring and vulnerability scanning of our systems.

## Contact

If you have any questions or concerns regarding the security of this project, please contact us at [[email protected]](mailto:[email protected]).
Loading