Merge branch 'feature/github-security-setup' into 'main'

NikolayS · NikolayS · commit b37ad5dba0c9 · 2026-03-06T11:25:06.000-08:00
ci: add SECURITY.md, CodeQL analysis, and Dependabot for GitHub

See merge request postgres-ai/postgresai!225
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,26 @@
+# NOTE: This repo is mirrored to GitHub where Dependabot runs automatically.
+# Dependabot creates PRs on GitHub, which are then synced back to GitLab.
+#
+# Documentation: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/reporter"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/monitoring_flask_backend"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "npm"
+    directory: "/cli"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,40 @@
+# NOTE: This repo is mirrored to GitHub where this workflow runs automatically.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '40 17 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['python', 'javascript']
+        # CodeQL supports: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security guidelines
+
+## Reporting vulnerabilities
+
+If you discover a security vulnerability in this project, please report it to **security@postgres.ai**. All reports are thoroughly investigated by the project maintainers.
+
+### When should I report a vulnerability?
+
+- You think you have discovered a potential security vulnerability in this project or related components.
+- You are unsure how a vulnerability affects this project.
+- You think you discovered a vulnerability in another project that this project depends on.
+- You want to report any other security risk that could potentially harm users.
+
+### When should I NOT report a vulnerability?
+
+- Your issue is not security related.
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by the project maintainers and the security team within 3 working days.
+
+The reporter will be kept updated at every stage of the issue's analysis and resolution (triage → fix → release).
+
+## Public Disclosure Timing
+
+A public disclosure date is negotiated by the maintainers (security@postgres.ai) and the bug submitter. We prefer to fully disclose the bug as soon as possible once user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the timeframe between a report and public disclosure to typically be in the order of 7 days.
