PhotoSync uses multiple automated security scanning tools to ensure code quality and security:

• What: Static code analysis to find security vulnerabilities
• Detects: SQL injection, XSS, command injection, path traversal, etc.
• Runs: Automatically by GitHub Advanced Security
• Results: Available in the Security tab
• Note: Managed by GitHub, not in workflow files

• What: Reviews dependencies for vulnerabilities and incompatible licenses
• Detects: Vulnerable or incompatible licenses (GPL, AGPL, LGPL, MPL, etc.)
• Runs: On every pull request (requires base/head comparison)
• Action: PR blocked if moderate+ severity vulnerabilities or copyleft licenses found

• What: Scans NuGet packages for known vulnerabilities
• Detects: CVEs in dependencies (direct and transitive)
• Runs: Every push, PR, weekly schedule, and manual dispatch
• Action: Build fails if vulnerabilities found, uploads report artifact

• What: Microsoft Security DevOps scans Terraform code
• Detects: Security misconfigurations, best practice violations
• Runs: Every push, PR, weekly schedule, and manual dispatch
• Tools: Checkov, Terrascan, Template Analyzer
• Results: Available in the Security tab

• What: Detects leaked secrets in code
• Detects: API keys, passwords, tokens
• Runs: Automatically by GitHub Advanced Security
• Action: Alerts sent to repository maintainers
• Note: Managed by GitHub, not in workflow files

• What: Automated dependency updates
• Runs: Weekly
• Action: Creates PRs for security updates automatically
• Scope: NuGet packages, GitHub Actions, npm packages

• Log Analytics Workspace: Centralized logging for all resources
• Diagnostic Settings: Automatic logging for Function Apps and Key Vault
• Security Alerts: Automated alerts for failures and anomalies
• Managed Identity: Function Apps access Key Vault without passwords
• Key Vault: Stores all secrets (refresh tokens, client secrets)

All security monitoring is configured automatically when you run terraform apply:

• ✅ Log Analytics workspace creation
• ✅ Diagnostic settings for Function Apps
• ✅ Diagnostic settings for Key Vault (audit logs)
• ✅ Alert rules for HTTP 5xx errors
• ✅ Alert rules for Key Vault access failures
• ✅ Alert rules for unusual file processing activity

No manual setup required!

If you discover a security vulnerability, please:

1. Do NOT open a public GitHub issue
2. Email the details to the repository owner
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours and work on a fix.

1. Automated: Dependabot creates PRs for security updates
2. Review: Security team reviews and approves
3. Deploy: Changes deployed via CI/CD pipeline
4. Verify: Post-deployment security verification

• ✅ Never commit secrets (API keys, passwords, tokens)
• ✅ Use Key Vault references for sensitive configuration
• ✅ Keep dependencies up to date
• ✅ Follow principle of least privilege
• ✅ Enable 2FA on GitHub account
• ✅ Review security alerts promptly

• ✅ Rotate secrets every 90 days
• ✅ Review Azure Security Center recommendations
• ✅ Monitor Application Insights for anomalies
• ✅ Keep Function App runtime updated
• ✅ Review Key Vault access logs monthly

• OWASP Top 10: Covered by CodeQL analysis
• CWE Top 25: Scanned by CodeQL
• CVE Database: Checked by Dependabot and NuGet scanner
• Least Privilege: Enforced via Managed Identity and Key Vault

View security metrics in:

• GitHub Security tab: Code scanning, Dependabot, Secret scanning alerts
• Azure Security Center: Runtime security posture
• Application Insights: Security-related telemetry

For security-related questions, see:

• GitHub Security Documentation
• Azure Security Best Practices
• License Compliance Documentation