Security Policy, scanning and dependency updates (#176)

EEParker · web-flow · commit 6efcdf76215b · 2024-04-03T08:36:35.000-05:00
* Add dependabot configuration

* Add codeql

* Add security policy

* Update dependabot.yml add newline

* update branches
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,48 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "dev", "master", "main" ]
+  pull_request:
+    branches: [ "dev", "master", "main" ]
+  schedule:
+    - cron: '16 12 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: csharp
+          build-mode: autobuild
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please follow these steps to report it:
+
+1. **Do not** create a public GitHub issue for the vulnerability.
+2. Send an email to [security@eeeparker.dev](mailto:security@eeeparker.dev) with a detailed description of the vulnerability.
+3. Include any relevant information, such as steps to reproduce the vulnerability or proof-of-concept code.
+4. Provide your contact information so that we can follow up with you.
+
+## Response Timeline
+
+We will do our best to respond to your report in a timely manner. Here is an outline of our response process:
+
+- We will acknowledge your report within 7 days.
+- Our team will investigate the reported vulnerability and determine its impact.
+- We will work on developing a fix for the vulnerability.
+- Once a fix is ready, we will release a security update.
+- We will publicly acknowledge your contribution if you choose to be credited.
+
+## Supported Versions
+
+This project is actively maintained and security updates will be provided for the following versions:
+
+- Version 4.x.x (latest stable release)
+
+If you are using an older version, we recommend upgrading to the latest stable release to benefit from the latest security fixes.
+
+## Security Measures
+
+We take security seriously and have implemented the following measures to protect our users:
+
+- Regular code reviews and security audits.
+- Secure coding practices and adherence to industry best practices.
+- Continuous monitoring and vulnerability scanning of our systems.
+
+## Contact
+
+If you have any questions or concerns regarding the security of this project, please contact us at [security@example.com](mailto:security@eeparker.dev).
