From 10a373dc16e2c419e7cb24ca6806a99700b07cfa Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 2 Jul 2026 23:15:33 +0300 Subject: [PATCH 1/3] feat: add org-level SECURITY.md for vulnerability reporting and SLSA posture --- SECURITY.md | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..b0612e6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,104 @@ +# Security Policy + +**Commit Check** takes the security of our software seriously. This policy outlines our approach to vulnerability management, supported versions, and how to report security issues. + +## Supported Versions + +The following versions of Commit Check projects are currently receiving security updates: + +| Project / Component | Status | Supported Versions | +|---------------------|--------|--------------------| +| [commit-check](https://github.com/commit-check/commit-check) (CLI) | 🟢 Active | Latest minor (semver) | +| [commit-check-action](https://github.com/commit-check/commit-check-action) (GitHub Action) | 🟢 Active | Latest major version | +| commit-check-mcp (MCP Server) | 🔧 Experimental | See project README | + +> **Note:** Only the **latest** minor/patch release of each project receives security patches. +> Users are strongly encouraged to keep their dependencies up to date. + +### End-of-Life Components + +No components are currently end-of-life. EOL status will be documented here when applicable. + +## SLSA & Supply Chain Security + +Commit Check is working toward **SLSA Level 3** compliance across our build and release pipeline. + +| Requirement | Status | Details | +|-------------|--------|---------| +| Build provenance | ✅ | Verifiable attestations via GitHub Actions | +| Source integrity | ✅ | Signed tags and commits where possible | +| Isolated builds | ✅ | Ephemeral CI environments | +| Reproducible builds | 🔄 | In progress | +| SLSA badge | 🏗️ | Pending Level 3 verification | + +Security-related SLSA metadata is published with each release. See individual project repositories for the latest SLSA badge and attestation details. + +## Reporting a Vulnerability + +We encourage responsible disclosure. **Please do not report security vulnerabilities via public GitHub issues.** + +### Private Disclosure (Recommended) + +1. **Email** — Send details to **[security@commit-check.dev](mailto:security@commit-check.dev)** +2. **Encryption** — If the issue is sensitive, please encrypt your report using our PGP key (see below). +3. **Response** — You will receive an acknowledgment within **48 hours**, followed by a detailed assessment and remediation timeline. + +### GitHub Security Advisories + +For projects that have the feature enabled, you may also report via **GitHub Security Advisories** under the "Security" tab of the affected repository. This method provides a private channel and optionally allows you to participate in the fix. + +### What to Include + +To help us triage and fix the issue quickly, please provide: + +- **Project and version** affected +- **Description** of the vulnerability (type, impact) +- **Steps to reproduce** — minimal, self-contained example preferred +- **Proof of concept** (if available) +- **Suggested fix** (optional but appreciated) + +### What to Expect + +| Timeframe | Action | +|-----------|--------| +| ≤ 48 hours | Acknowledgment of receipt | +| 5–10 days | Initial triage and severity assessment | +| ≤ 30 days | Fix released (critical/high severity) | +| ≤ 90 days | Fix released (moderate/low severity) | + +We will keep the reporter informed throughout the process and will credit you in the security advisory (unless you prefer to remain anonymous). + +## PGP Key + +For encrypted communication: + +``` +Key ID: [TBD] +Fingerprint: [TBD] +``` + +> **Note:** A dedicated security PGP key is being provisioned. In the interim, +> plain-text email to [security@commit-check.dev](mailto:security@commit-check.dev) is preferred. + +## Security Practices + +### For Maintainers + +- All code changes go through **pull request review** with at least one approval. +- **Signed commits** are required for all repositories. +- **Branch protection** is enforced on `main` for all active repos. +- Secrets are managed via GitHub Actions secrets — never hard-coded. +- Dependency updates are reviewed via automated Dependabot / Renovate PRs. + +### For Contributors + +- Follow our [CONTRIBUTING.md](CONTRIBUTING.md) guidelines. +- Do not include credentials, tokens, or secrets in code, commits, or issues. +- If you discover a potential vulnerability, follow the reporting process above. + +## Related Resources + +- [SLSA Framework](https://slsa.dev) +- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) +- [OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org) +- [commit-check documentation](https://commit-check.github.io) From e34b4aa70495f214075760b6a5039a10a6198b7a Mon Sep 17 00:00:00 2001 From: Xianpeng Shen Date: Thu, 2 Jul 2026 23:34:52 +0300 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Xianpeng Shen --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index b0612e6..e6b7988 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -39,7 +39,7 @@ We encourage responsible disclosure. **Please do not report security vulnerabili ### Private Disclosure (Recommended) -1. **Email** — Send details to **[security@commit-check.dev](mailto:security@commit-check.dev)** +1. **Email** — Send details to **[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)** 2. **Encryption** — If the issue is sensitive, please encrypt your report using our PGP key (see below). 3. **Response** — You will receive an acknowledgment within **48 hours**, followed by a detailed assessment and remediation timeline. @@ -78,7 +78,7 @@ Fingerprint: [TBD] ``` > **Note:** A dedicated security PGP key is being provisioned. In the interim, -> plain-text email to [security@commit-check.dev](mailto:security@commit-check.dev) is preferred. +> plain-text email to [xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com) is preferred. ## Security Practices From 7322939cd6bf8ad6974f71b7c10f97446f94a97b Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Thu, 2 Jul 2026 23:42:56 +0300 Subject: [PATCH 3/3] =?UTF-8?q?chore:=20simplify=20SECURITY.md=20=E2=80=94?= =?UTF-8?q?=20keep=20only=20reporting=20channel=20and=20supported=20versio?= =?UTF-8?q?ns?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SECURITY.md | 103 +++++----------------------------------------------- 1 file changed, 10 insertions(+), 93 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e6b7988..dd6d108 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,104 +1,21 @@ # Security Policy -**Commit Check** takes the security of our software seriously. This policy outlines our approach to vulnerability management, supported versions, and how to report security issues. - -## Supported Versions - -The following versions of Commit Check projects are currently receiving security updates: - -| Project / Component | Status | Supported Versions | -|---------------------|--------|--------------------| -| [commit-check](https://github.com/commit-check/commit-check) (CLI) | 🟢 Active | Latest minor (semver) | -| [commit-check-action](https://github.com/commit-check/commit-check-action) (GitHub Action) | 🟢 Active | Latest major version | -| commit-check-mcp (MCP Server) | 🔧 Experimental | See project README | - -> **Note:** Only the **latest** minor/patch release of each project receives security patches. -> Users are strongly encouraged to keep their dependencies up to date. - -### End-of-Life Components - -No components are currently end-of-life. EOL status will be documented here when applicable. - -## SLSA & Supply Chain Security - -Commit Check is working toward **SLSA Level 3** compliance across our build and release pipeline. - -| Requirement | Status | Details | -|-------------|--------|---------| -| Build provenance | ✅ | Verifiable attestations via GitHub Actions | -| Source integrity | ✅ | Signed tags and commits where possible | -| Isolated builds | ✅ | Ephemeral CI environments | -| Reproducible builds | 🔄 | In progress | -| SLSA badge | 🏗️ | Pending Level 3 verification | - -Security-related SLSA metadata is published with each release. See individual project repositories for the latest SLSA badge and attestation details. +If you find a security vulnerability in any Commit Check project, please report it privately. ## Reporting a Vulnerability -We encourage responsible disclosure. **Please do not report security vulnerabilities via public GitHub issues.** - -### Private Disclosure (Recommended) - -1. **Email** — Send details to **[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)** -2. **Encryption** — If the issue is sensitive, please encrypt your report using our PGP key (see below). -3. **Response** — You will receive an acknowledgment within **48 hours**, followed by a detailed assessment and remediation timeline. - -### GitHub Security Advisories +**Do not open a public GitHub issue.** Instead, send an email to: -For projects that have the feature enabled, you may also report via **GitHub Security Advisories** under the "Security" tab of the affected repository. This method provides a private channel and optionally allows you to participate in the fix. +**[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)** -### What to Include +Please include: -To help us triage and fix the issue quickly, please provide: +- Which project and version is affected +- A description of the issue and its impact +- Steps to reproduce (or a proof of concept) -- **Project and version** affected -- **Description** of the vulnerability (type, impact) -- **Steps to reproduce** — minimal, self-contained example preferred -- **Proof of concept** (if available) -- **Suggested fix** (optional but appreciated) +You will receive an acknowledgment within 48 hours, followed by a plan for resolution. -### What to Expect - -| Timeframe | Action | -|-----------|--------| -| ≤ 48 hours | Acknowledgment of receipt | -| 5–10 days | Initial triage and severity assessment | -| ≤ 30 days | Fix released (critical/high severity) | -| ≤ 90 days | Fix released (moderate/low severity) | - -We will keep the reporter informed throughout the process and will credit you in the security advisory (unless you prefer to remain anonymous). - -## PGP Key - -For encrypted communication: - -``` -Key ID: [TBD] -Fingerprint: [TBD] -``` - -> **Note:** A dedicated security PGP key is being provisioned. In the interim, -> plain-text email to [xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com) is preferred. - -## Security Practices - -### For Maintainers - -- All code changes go through **pull request review** with at least one approval. -- **Signed commits** are required for all repositories. -- **Branch protection** is enforced on `main` for all active repos. -- Secrets are managed via GitHub Actions secrets — never hard-coded. -- Dependency updates are reviewed via automated Dependabot / Renovate PRs. - -### For Contributors - -- Follow our [CONTRIBUTING.md](CONTRIBUTING.md) guidelines. -- Do not include credentials, tokens, or secrets in code, commits, or issues. -- If you discover a potential vulnerability, follow the reporting process above. - -## Related Resources +## Supported Versions -- [SLSA Framework](https://slsa.dev) -- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) -- [OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org) -- [commit-check documentation](https://commit-check.github.io) +Only the latest release of each project receives security patches. Please keep your dependencies up to date.