Skip to content

Security: gabrielvfonseca/site

Security

Report a vulnerability

.github/SECURITY.md

Security

This document outlines the security measures implemented in this project and how to report security vulnerabilities.

Security Scanning

This project uses Snyk for comprehensive security scanning including:

  • Dependency vulnerability scanning - Checks for known vulnerabilities in npm packages
  • Code analysis - Scans source code for security issues and vulnerabilities
  • Docker image scanning - Analyzes Docker images for security vulnerabilities
  • License compliance - Ensures all dependencies comply with project license requirements

Security Workflows

1. Security Scan Workflow (.github/workflows/security.yml)

Runs on:

  • Every push to main branch
  • Every pull request to main branch
  • Daily at 2 AM UTC (scheduled)
  • Manual trigger via workflow dispatch

Features:

  • Scans all workspace packages for vulnerabilities
  • Performs code analysis for security issues
  • Scans Docker images if present
  • Comments on pull requests with security findings
  • Uploads results to GitHub Code Scanning
  • Configurable severity thresholds
  • Optional failure on security issues

2. Build Workflow Integration

The build workflow (.github/workflows/build.yml) includes a quick security check that:

  • Runs a high-severity vulnerability scan
  • Continues on error to not block builds
  • Provides early warning of critical security issues

Configuration Files

.snyk - Snyk Policy File

  • Defines vulnerability ignore rules
  • Configures patch settings
  • Sets severity thresholds
  • Manages language-specific settings

snyk.json - Snyk Configuration

  • JSON schema for Snyk settings
  • Package manager configuration
  • Exclusion patterns for files and paths
  • Severity level configurations

Setup Instructions

1. Snyk Account Setup

  1. Create a free account at snyk.io
  2. Connect your GitHub repository
  3. Get your Snyk API token from the account settings

2. GitHub Secrets Configuration

Add the following secrets to your GitHub repository:

# Required
SNYK_TOKEN=your_snyk_api_token_here

# Optional (for enhanced reporting)
SNYK_ORG_ID=your_snyk_organization_id

3. Repository Settings

  1. Go to repository Settings → Security
  2. Enable "Dependabot alerts" for additional vulnerability monitoring
  3. Enable "Code scanning" to view Snyk results in GitHub's security tab
  4. Configure branch protection rules to require security checks

4. Local Development

Install Snyk CLI for local development:

npm install -g snyk

Authenticate with your Snyk account:

snyk auth

Run security scans locally:

# Scan dependencies
snyk test

# Scan code
snyk code test

# Monitor for new vulnerabilities
snyk monitor

Security Policies

Vulnerability Severity Levels

  • Critical: Immediate action required
  • High: Address within 24-48 hours
  • Medium: Address within 1-2 weeks
  • Low: Address when convenient

Response Process

  1. Detection: Snyk automatically detects vulnerabilities
  2. Notification: Team is notified via GitHub Actions and Snyk dashboard
  3. Assessment: Review vulnerability details and impact
  4. Remediation: Apply fixes, patches, or workarounds
  5. Verification: Re-scan to confirm issues are resolved

Ignoring Vulnerabilities

To ignore a vulnerability (use with caution):

  1. Add to .snyk file:
ignore:
  'vulnerability-id':
    reason: 'Brief explanation of why this is safe to ignore'
    expires: '2024-12-31T23:59:59.999Z'
  1. Or use Snyk CLI:
snyk ignore --id=vulnerability-id --reason="Explanation"

Reporting Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  1. DO NOT create a public GitHub issue
  2. Email security concerns to: [security@yourdomain.com]
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 24 hours
  • Initial Assessment: Within 72 hours
  • Resolution: Depends on severity (see severity levels above)

Security Best Practices

For Developers

  1. Keep dependencies updated: Regularly update packages to latest versions
  2. Review security alerts: Address Snyk findings promptly
  3. Use secure coding practices: Follow OWASP guidelines
  4. Validate inputs: Always validate and sanitize user inputs
  5. Use HTTPS: Ensure all communications are encrypted
  6. Implement proper authentication: Use secure authentication methods
  7. Regular security reviews: Conduct periodic code reviews

For CI/CD

  1. Automated scanning: Security scans run on every build
  2. Fail on critical issues: Block deployments with critical vulnerabilities
  3. Regular updates: Keep security tools and dependencies updated
  4. Monitor dependencies: Use tools like Dependabot for automated updates

Additional Resources

Contact

For security-related questions or concerns, please contact:

Last Updated: December 2024 Version: 1.0.0

There aren’t any published security advisories