Skip to content

Commit 628a681

Browse files
committed
Add security policy and dependency review workflow
Adds a SECURITY.md pointing reporters to private vulnerability reporting and a dependency-review workflow that fails PRs introducing high-severity vulnerable dependencies.
1 parent a27cbff commit 628a681

2 files changed

Lines changed: 56 additions & 0 deletions

File tree

.github/SECURITY.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Security Policy
2+
3+
## Supported versions
4+
5+
Security fixes are provided for the most recently released version of
6+
Neovolve.Configuration.DependencyInjection published on
7+
[NuGet](https://www.nuget.org/packages/Neovolve.Configuration.DependencyInjection).
8+
Please upgrade to the latest release before reporting a vulnerability.
9+
10+
## Reporting a vulnerability
11+
12+
Please do **not** report security vulnerabilities through public GitHub issues,
13+
discussions, or pull requests.
14+
15+
Instead, report them privately using GitHub's
16+
[private vulnerability reporting](https://github.com/roryprimrose/Neovolve.Configuration.DependencyInjection/security/advisories/new).
17+
This opens a confidential advisory that only the maintainers can see.
18+
19+
When reporting, please include as much of the following as you can:
20+
21+
- The affected version(s) and target framework.
22+
- A description of the vulnerability and its impact.
23+
- Steps to reproduce, ideally a minimal reproducer or failing test.
24+
- Any known workarounds.
25+
26+
## What to expect
27+
28+
This is a community-maintained open source project without a dedicated 24/7
29+
response team, so please allow a reasonable amount of time for an initial
30+
response. We will acknowledge your report, work with you to understand and
31+
validate the issue, and coordinate the disclosure timeline with you once a fix
32+
is available.
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Dependency Review
2+
3+
# Reviews dependency changes on pull requests and fails the build if a pull
4+
# request introduces a dependency with a known vulnerability. Requires the
5+
# repository's Dependency Graph to be enabled (on by default for public repos).
6+
on:
7+
pull_request:
8+
branches:
9+
- '**'
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
dependency-review:
16+
runs-on: ubuntu-latest
17+
steps:
18+
- name: Checkout
19+
uses: actions/checkout@v7
20+
21+
- name: Dependency Review
22+
uses: actions/dependency-review-action@v4
23+
with:
24+
fail-on-severity: high

0 commit comments

Comments
 (0)