Skip to content

Commit 701e634

Browse files
committed
feat: add security policy document and implement GitHub workflows for CodeQL analysis and Dependabot updates
1 parent 1f31eed commit 701e634

4 files changed

Lines changed: 107 additions & 1 deletion

File tree

.github/dependabot.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
version: 2
2+
updates:
3+
# Keep GitHub Actions pinned to SHA and up to date
4+
- package-ecosystem: "github-actions"
5+
directory: "/"
6+
schedule:
7+
interval: "weekly"
8+
day: "monday"
9+
labels:
10+
- "dependencies"
11+
- "github-actions"
12+
13+
# Keep npm/pnpm dependencies up to date
14+
- package-ecosystem: "npm"
15+
directory: "/"
16+
schedule:
17+
interval: "weekly"
18+
day: "monday"
19+
labels:
20+
- "dependencies"
21+
groups:
22+
react:
23+
patterns:
24+
- "react"
25+
- "react-dom"
26+
- "@types/react*"
27+
tailwind:
28+
patterns:
29+
- "tailwindcss"
30+
- "@tailwindcss/*"
31+
pdf:
32+
patterns:
33+
- "pdf-lib"
34+
- "pdfjs-dist"
35+
- "@pdf-lib/*"

.github/workflows/codeql.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
name: CodeQL SAST
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
schedule:
9+
# Run every Monday at 09:00 UTC
10+
- cron: "0 9 * * 1"
11+
workflow_dispatch:
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
analyze:
18+
name: Analyze (javascript-typescript)
19+
runs-on: ubuntu-latest
20+
permissions:
21+
contents: read
22+
security-events: write
23+
actions: read
24+
25+
steps:
26+
- name: Checkout
27+
uses: actions/checkout@v4
28+
29+
- name: Initialize CodeQL
30+
uses: github/codeql-action/init@v3
31+
with:
32+
languages: javascript-typescript
33+
queries: security-and-quality
34+
35+
- name: Autobuild
36+
uses: github/codeql-action/autobuild@v3
37+
38+
- name: Perform CodeQL Analysis
39+
uses: github/codeql-action/analyze@v3
40+
with:
41+
category: codeql-javascript

.github/workflows/deploy.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
VITE_APP_BASE_PATH: /
3838

3939
# - name: Test
40-
# run: vp run test
40+
# run: vp test
4141

4242
- name: Setup Pages
4343
if: github.event_name == 'push' && github.ref == 'refs/heads/main'

SECURITY.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
| ------- | --------- |
7+
| latest ||
8+
9+
## Reporting a Vulnerability
10+
11+
If you discover a security vulnerability in BytePDF, please **do not** open a public GitHub issue.
12+
13+
Instead, report it privately via [GitHub Security Advisories](https://github.com/sumitsahoo/bytepdf/security/advisories/new).
14+
15+
You can expect:
16+
17+
- **Acknowledgement** within 48 hours
18+
- **Status update** within 7 days
19+
- Credit in the advisory once the fix is released (if desired)
20+
21+
## Security Model
22+
23+
BytePDF is a **client-side only** application — all PDF processing happens in your browser. No files or data are transmitted to any server. The attack surface is limited to:
24+
25+
- Third-party npm dependencies (monitored via `pnpm audit` in CI and Dependabot)
26+
- Browser sandbox escape (out of scope — report to the browser vendor)
27+
28+
## Dependency Vulnerabilities
29+
30+
Known dependency vulnerabilities are tracked automatically via GitHub Dependabot and the weekly security audit workflow. If you spot one that has not been addressed, please follow the disclosure process above.

0 commit comments

Comments
 (0)