akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
6dc27cb8132cb5362778de86cf2ac294c4f4cb6a
caddy-proxy-manager/SECURITY.md
T
Claude 6dc27cb813 Use version tags for GitHub Actions for better maintainability 
Changed from SHA-pinned actions to version tags (e.g., @v3, @v4, @v5)
for easier maintenance and automatic security updates via Dependabot.

While SHA pinning provides slightly better supply chain security, version
tags with Dependabot updates provide a better balance of security and
maintainability for most projects.

Updated actions:
- actions/checkout@v4
- docker/setup-buildx-action@v3
- docker/login-action@v3
- docker/metadata-action@v5
- docker/build-push-action@v5
- aquasecurity/trivy-action@0.24.0
- github/codeql-action/upload-sarif@v3

Dependabot will automatically create PRs for security updates.
2025-11-04 21:36:51 +00:00

85 lines
2.6 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
We release patches for security vulnerabilities for the following versions:
| Version | Supported |
| ------- | ------------------ |
| latest | :white_check_mark: |
| < 1.0 | :x: |
## Reporting a Vulnerability
If you discover a security vulnerability, please report it by:
1. **DO NOT** open a public issue
2. Email the maintainers or use GitHub's private vulnerability reporting
3. Include detailed information about the vulnerability:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide regular updates on the fix progress.
## Security Measures
### Build Pipeline Security
Our CI/CD pipeline implements multiple security layers:
1. **Fork PR Protection**: Pull requests from forks require manual approval (via `safe-to-build` label) before builds run
2. **Vulnerability Scanning**: All images are scanned with Trivy for CRITICAL and HIGH vulnerabilities
3. **SBOM Generation**: Software Bill of Materials is generated for all builds
4. **Provenance Attestation**: Build provenance is recorded for supply chain security
5. **Limited Permissions**: Workflows use minimal required permissions
6. **No Push from PRs**: Pull requests only build images locally, never push to registry
### Container Security
- Multi-architecture support (amd64, arm64)
- Regular base image updates
- Minimal attack surface
- Non-root user execution where possible
### Dependency Management
- Automated dependency updates via Dependabot
- Security alerts enabled
- Regular security audits
## Security Best Practices for Contributors
When contributing:
1. Never commit secrets, tokens, or credentials
2. Use environment variables for sensitive configuration
3. Keep dependencies up to date
4. Follow principle of least privilege
5. Validate and sanitize all user inputs
6. Use parameterized queries for database operations
## Automated Security Checks
Our repository includes:
- **Trivy vulnerability scanning** on every build
- **Dependabot** for dependency updates
- **GitHub Security Advisories** monitoring
- **SARIF upload** to GitHub Security tab for vulnerability tracking
## Safe-to-Build Label
For maintainers reviewing fork PRs:
1. Review the PR code thoroughly for malicious content
2. Check for suspicious file modifications
3. Verify no secrets or credentials are exposed
4. Only add `safe-to-build` label if code is verified safe
5. Remove label immediately if concerns arise
## Security Updates
Security updates are prioritized and released as soon as possible. Subscribe to repository releases to stay informed.
Reference in New Issue View Git Blame Copy Permalink