|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Proactive Security Measures |
| 4 | + |
| 5 | +To proactively detect and address security vulnerabilities, we utilize several robust tools and processes: |
| 6 | + |
| 7 | +- **Dependency Updates:** We use [Renovate](https://renovatebot.com) and [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) to keep our dependencies updated and promptly patch detected vulnerabilities through automated PRs. |
| 8 | +- **[GitHub's Security Features](https://github.com/features/security):** Our repository and dependencies are continuously monitored via GitHub's security features, which include: |
| 9 | + - **Code Scanning:** Using GitHub's CodeQL, all pull requests are scanned to identify potential vulnerabilities in our source code. |
| 10 | + - **Automated Alerts:** Dependabot identifies vulnerabilities based on the GitHub Advisory Database and opens PRs with patches, while automated [secret scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-for-partner-patterns) provides alerts for detected secrets. |
| 11 | +- **[GitGuardian Security Checks](https://www.gitguardian.com/):** We employ GitGuardian to ensure security checks are performed on the codebase, enhancing the overall security of our project. |
| 12 | +- **Code Analysis and Security Scanning:** With the help of [Codacy Static Code Analysis](https://www.codacy.com/) and [Codacy Security Scan](https://security.codacy.com/), we conduct thorough analyses and scans of our code for potential security risks. |
| 13 | + |
| 14 | +## Reporting Security Vulnerabilities |
| 15 | + |
| 16 | +Despite our best efforts to deliver secure software, we acknowledge the invaluable role of the community in identifying security breaches. |
| 17 | + |
| 18 | +### Private Vulnerability Disclosures |
| 19 | + |
| 20 | +We request all suspected vulnerabilities to be responsibly and privately disclosed by sending an email to [support@tj-actions.online](mailto:support@tj-actions.online). |
| 21 | + |
| 22 | +### Public Vulnerability Disclosures |
| 23 | + |
| 24 | +For publicly disclosed security vulnerabilities, please **IMMEDIATELY** email [support@tj-actions.online](mailto:support@tj-actions.online) with the details for prompt action. |
| 25 | + |
| 26 | +Upon confirmation of a breach, reporters will receive full credit and recognition for their contribution. Please note, that we do not offer monetary compensation for reporting vulnerabilities. |
| 27 | + |
| 28 | +## Communication of Security Breaches |
| 29 | + |
| 30 | +We will utilize the [GitHub Security Advisory](https://github.com/tj-actions/changed-files/security/advisories) to communicate any security breaches. The advisory will be made public once a patch has been released to rectify the issue. |
| 31 | + |
| 32 | +We appreciate your cooperation and contribution to maintaining the security of our software. Remember, a secure community is a strong community. |
0 commit comments