|
| 1 | +# Security policy |
| 2 | + |
| 3 | +Any found security issues should be reported as a [new security advisory on GitHub](https://github.com/emmercm/igir/security/advisories/new). Security advisories are private by default so that attackers cannot immediately exploit it. |
| 4 | + |
| 5 | +## Source control |
| 6 | + |
| 7 | +- **Trunk branch protection.** |
| 8 | + |
| 9 | + All code pushed to Igir's main branch must go through a pull request, which must pass CI before merging. Nobody (including the project owner) is allowed to push code directly to the main branch. |
| 10 | + |
| 11 | + This has the added benefit that every commit to the main branch is GPG or SSH-signed (is ["verified"](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)). |
| 12 | + |
| 13 | +## Dependencies |
| 14 | + |
| 15 | +- **Automatic updates.** |
| 16 | + |
| 17 | + Dependencies are kept up-to-date automatically by [Renovate](https://www.mend.io/renovate/). This includes addressing [Dependabot vulnerability alerts](https://docs.github.com/en/code-security/concepts/supply-chain-security/dependabot-alerts). |
| 18 | + |
| 19 | + Dependency updates are held back for multiple days in the case a vulnerability is discovered quickly after release. |
| 20 | + |
| 21 | +- **Pinned versions.** |
| 22 | + |
| 23 | + Dependencies have their versions pinned so that new, vulnerable versions are not immediately adopted. |
| 24 | + |
| 25 | +## CI |
| 26 | + |
| 27 | +- **Pinned GitHub Actions versions.** |
| 28 | + |
| 29 | + GitHub Actions have their version pinned to a commit hash so that Git tags cannot be silently moved to a new, malicious version. |
| 30 | + |
| 31 | +- **Security auditing.** |
| 32 | + |
| 33 | + GitHub Actions are checked with [actionlint](https://github.com/rhysd/actionlint) and [zizmor](https://github.com/zizmorcore/zizmor) for common mistakes and dangerous patterns. |
| 34 | + |
| 35 | +## Release |
| 36 | + |
| 37 | +- **Immutable GitHub releases.** |
| 38 | + |
| 39 | + All releases on GitHub have been [immutable](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases) since [v4.3.2](https://github.com/emmercm/igir/releases/tag/v4.3.2) (February 2026). That means that the published binaries cannot be modified or removed (even if they are found to be broken), and the release's Git tag cannot be moved to a different commit hash. |
| 40 | + |
| 41 | +- **npm package provenance.** |
| 42 | + |
| 43 | + All releases on npm have been published with a [provenance statement](https://docs.npmjs.com/generating-provenance-statements) since [v1.9.3](https://www.npmjs.com/package/igir/v/1.9.3#provenance) (August 2023). This provides cryptographic evidence that the package was published by a GitHub Actions workflow. |
| 44 | + |
| 45 | +- **npm publishing with OIDC.** |
| 46 | + |
| 47 | + All releases on npm require [publishing via OpenID Connect (OIDC)](https://docs.npmjs.com/trusted-publishers), which is only granted to the GitHub repository. This protects against humans (including the project owner) bypassing GitHub to publish new versions to npm. |
0 commit comments