Skip to content

chore(docs): add SECURITY.md and textlint setup for development consistency #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 13, 2024
Merged

chore(docs): add SECURITY.md and textlint setup for development consistency #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4c1316b
docs: add SECURITY.md to outline security practices and best practices
virgofx Oct 12, 2024
280c883
chore: add textlint dev dependencies and package.json script for loca…
virgofx Oct 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/linters/.textlintrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"plugins": {},
"filters": {
"comments": true
},
"rules": {
"terminology": true
}
}
42 changes: 42 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Security Policy

**[Terraform Module Releaser](https://github.com/techpivot/terraform-module-releaser)** takes security seriously. We are
committed to protecting the integrity of your infrastructure and adhering to secure coding practices.

We regularly scan for vulnerabilities using
[CodeQL](https://github.com/techpivot/terraform-module-releaser/actions/workflows/codeql-analysis.yml). The results are
public and available for review.

## Reporting a Vulnerability

If you discover a security issue in the `Terraform Module Releaser`, please adhere to the following reporting
guidelines:

### Reporting Guidelines

**Non-Confidential Issues**: [Open an issue](https://github.com/techpivot/terraform-module-releaser/issues/new/choose)
directly on the GitHub repository with a detailed description of the vulnerability, including steps to reproduce if
possible.

**Confidential or High-Priority Issues**: Report sensitive vulnerabilities directly to our security team at
<security@techpivot.com>. We aim to respond within 24 hours.

## Best Practices

This GitHub Action runs inside a GitHub Actions runner and may have access to the source control repository. To minimize
security risks, we recommend the following practices when using this Action:

- Review the CodeQL analysis results regularly to ensure the code remains free of known vulnerabilities.
- **Pin to the latest major version** (e.g., `v1`) instead of an explicit version tag. This ensures you benefit from the
latest features, security patches, and bugfixes while maintaining backward compatibility.
- Please refer to the
[permissions in the README.md](https://github.com/techpivot/terraform-module-releaser?tab=readme-ov-file#permissions)
to ensure that the required GitHub Action permissions are set appropriately with **least privilege**.
- Regularly update to the latest version of the Action to benefit from any security fixes.
- **Audit GitHub Actions dependencies** regularly to ensure that no third-party actions have introduced vulnerabilities
or insecure behaviors.

## Resources

- [GitHub Actions Security Best Practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
- [Terraform Module Releaser CodeQL Analysis](https://github.com/techpivot/terraform-module-releaser/actions/workflows/codeql-analysis.yml)
Loading