akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f326194de00fd6b290236131e8699fc82baf3e91
caddy-proxy-manager/SECURITY.md
Claude f326194de0 Remove Trivy vulnerability scanning from pipeline 
Removed all Trivy-related security scanning:
- Removed "Extract first tag for Trivy" step
- Removed "Run Trivy vulnerability scanner" step
- Removed "Upload Trivy results to GitHub Security" step
- Removed "Run Trivy in table format" step
- Removed security-events permission (no longer needed)

Updated SECURITY.md:
- Removed Trivy vulnerability scanning references
- Removed SARIF upload references
- Kept other security measures intact

The workflow now focuses on:
- Fork PR protection
- SBOM generation
- Provenance attestation
- Dependabot updates
2025-11-04 21:52:02 +00:00

2.4 KiB
Raw Blame History

Security Policy

Supported Versions

We release patches for security vulnerabilities for the following versions:

Version Supported
latest
< 1.0

Reporting a Vulnerability

If you discover a security vulnerability, please report it by:

  1. DO NOT open a public issue
  2. Email the maintainers or use GitHub's private vulnerability reporting
  3. Include detailed information about the vulnerability:
    • Type of vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

We will respond within 48 hours and provide regular updates on the fix progress.

Security Measures

Build Pipeline Security

Our CI/CD pipeline implements multiple security layers:

  1. Fork PR Protection: Pull requests from forks require manual approval (via safe-to-build label) before builds run
  2. SBOM Generation: Software Bill of Materials is generated for all builds
  3. Provenance Attestation: Build provenance is recorded for supply chain security
  4. Limited Permissions: Workflows use minimal required permissions
  5. No Push from PRs: Pull requests only build images locally, never push to registry

Container Security

  • Multi-architecture support (amd64, arm64)
  • Regular base image updates
  • Minimal attack surface
  • Non-root user execution where possible

Dependency Management

  • Automated dependency updates via Dependabot
  • Security alerts enabled
  • Regular security audits

Security Best Practices for Contributors

When contributing:

  1. Never commit secrets, tokens, or credentials
  2. Use environment variables for sensitive configuration
  3. Keep dependencies up to date
  4. Follow principle of least privilege
  5. Validate and sanitize all user inputs
  6. Use parameterized queries for database operations

Automated Security Checks

Our repository includes:

  • Dependabot for dependency updates
  • GitHub Security Advisories monitoring

Safe-to-Build Label

For maintainers reviewing fork PRs:

  1. Review the PR code thoroughly for malicious content
  2. Check for suspicious file modifications
  3. Verify no secrets or credentials are exposed
  4. Only add safe-to-build label if code is verified safe
  5. Remove label immediately if concerns arise

Security Updates

Security updates are prioritized and released as soon as possible. Subscribe to repository releases to stay informed.

Reference in New Issue View Git Blame Copy Permalink