This project employs a three-tier security scanning approach in CI/CD:
- Status: Fails CI on any known vulnerabilities
- Purpose: Critical supply chain security - prevents merging code with known CVEs in dependencies
- Rationale: Known vulnerabilities in dependencies are objective security issues that must be addressed
- Status: Reports issues but does not fail CI
- Purpose: Additional vulnerability database cross-reference
- Rationale: May have false positives or flag issues that require triage; provides defense-in-depth
- Status: Reports issues but does not fail CI
- Purpose: Static security analysis for common code security issues
- Rationale: Requires triage for false positives (e.g., B101 assert usage in appropriate contexts)
If you discover a security vulnerability in this project, please report it by:
- Do NOT open a public issue - this could put users at risk
- Open a GitHub Security Advisory in this repository, or contact the maintainers directly
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Security dependencies (pip-audit, safety, bandit): Reviewed quarterly
- Runtime dependencies: Reviewed when security advisories are published
- Critical CVEs: Addressed within 48 hours of disclosure
- Critical vulnerabilities (CVSS 9.0-10.0): Patch within 48 hours
- High severity (CVSS 7.0-8.9): Patch within 1 week
- Medium severity (CVSS 4.0-6.9): Patch within 2 weeks
- Low severity (CVSS 0.1-3.9): Addressed in next regular release
When contributing to this project:
- Never commit secrets - Use environment variables or secret management
- Use explicit error handling - Avoid assertions in production code (use explicit checks)
- Pin dependencies - All dependencies should specify exact versions for reproducibility
- Run security scans locally before pushing:
pip-audit --skip-editable safety check --full-report bandit -r . -ll
| Version | Supported |
|---|---|
| main | ✅ |
| < main | ❌ |
We currently only support the latest version from the main branch.