You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SECURITY.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -66,6 +66,7 @@ This repository contains VS Code extensions with the following security measures
66
66
-**Daily Vulnerability Scans**: `npm audit` runs daily via scheduled workflow
67
67
-**Fork Protection**: Sensitive workflows skip on fork repositories
68
68
-**SAST (Snyk Code)**: [Snyk](https://snyk.io/) runs static analysis; test fixtures are excluded via `.snyk` policy
69
+
-**License & Vulnerability Scanning**: [FOSSA](https://app.fossa.com/) runs license compliance, dependency quality, and security analysis on every commit (GitHub App integration)
69
70
-**Runtime Security Monitoring**: [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) monitors all workflow runs for suspicious network egress, file access, and process execution
70
71
71
72
## Security Testing
@@ -94,6 +95,7 @@ This section documents all secrets used in CI/CD workflows.
94
95
| VSCE_PAT | VS Code Marketplace publishing | publish.yml, unpublish.yml | Annual | High |
95
96
| OVSX_PAT | Open VSX publishing | publish.yml, unpublish.yml | Annual | High |
96
97
| SONAR_TOKEN | SonarCloud code analysis | sonarcloud.yml | As needed | Medium |
98
+
| FOSSA_API_KEY | FOSSA license/vulnerability scanning | (API access only) | As needed | Medium |
0 commit comments