- Supported Versions
- Reporting a Vulnerability
- Security Best Practices for Users
- Security Features
- Known Security Considerations
- Incident Response
- Security Contact
- Acknowledgments
This project follows a rolling release model. We provide security updates for:
| Version | Supported |
|---|---|
| main | β Always supported |
| Latest release tags | β Supported |
| Older releases | β Not supported |
If you discover a security issue, please follow these steps:
Do NOT create a public issue for security vulnerabilities.
Instead, please report security issues privately using one of these methods:
-
GitHub Security Advisories (preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
-
Email
- Send details to: chris@codfish.dev
- Include "SECURITY" in the subject line
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
We aim to respond to security reports within:
- Initial response: 24-48 hours
- Confirmation/triage: 2-5 business days
- Resolution: Varies based on complexity
When using these GitHub Actions in your workflows:
- Never log secrets in workflows that use these actions
- Use GitHub Secrets for sensitive information
- Limit secret scope to only necessary workflows
- Rotate secrets regularly
# β
Good - Using secrets properly
- uses: codfish/actions/npm-pr-version@v2
with:
npm-token: ${{ secrets.NPM_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
# β Bad - Exposing secrets
- name: Debug
run: echo "Token: ${{ secrets.NPM_TOKEN }}"- Pin to specific versions or commit hashes for production workflows
- Avoid using
@mainin production (use for testing only)
# β
Good - Pinned version
- uses: codfish/actions/setup-node-and-install@v2.2.3
# β οΈ Caution - Latest main (testing only)
- uses: codfish/actions/setup-node-and-install@main- Use minimal permissions required
- Specify explicit permissions when possible
- Avoid using
write-allpermissions
# β
Good - Minimal permissions
permissions:
contents: read
issues: write
pull-requests: write
# β Bad - Excessive permissions
permissions: write-all- Validate user inputs before using them in actions
- Sanitize outputs when displaying them
- Be cautious with dynamic expressions
This project implements several security measures:
- Dependabot for dependency updates
- CodeQL for static analysis
- Dependency Review for PR security checks
- Secret scanning with TruffleHog
- npm audit for vulnerability detection
- Input validation in all actions
- Error handling without information disclosure
- No secret logging in any action
- Least privilege principle in action permissions
- Minimal dependencies to reduce attack surface
- Regular dependency updates via Dependabot
- Verified action references in workflows
- Actions run in GitHub's infrastructure - we cannot control the runner environment
- Secrets are available to all steps in a job that has access
- Workflow logs are visible to users with read access to the repository
- NPM tokens have broad permissions - ensure tokens are scoped appropriately
- Published packages are public by default - review package contents
- Version immutability - published versions cannot be unpublished
- GitHub tokens can comment on behalf of the workflow user
- Comment content is public - avoid including sensitive information
- Rate limiting applies - excessive commenting may be throttled
In case of a confirmed security vulnerability:
- Assessment - Evaluate severity and impact
- Mitigation - Develop and test fixes
- Disclosure - Coordinate with reporter on disclosure timeline
- Release - Deploy security fixes
- Communication - Notify users through appropriate channels
- Primary: security@codfish.dev
- GitHub: @codfish
We appreciate security researchers and users who responsibly disclose vulnerabilities. Contributors who report valid security issues will be acknowledged (with permission) in:
- Security advisories
- Release notes
- This security policy
Thank you for helping keep this project secure! π