jesus/Vapora
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Vapora/SECURITY.md
Jesús Pérez ac3f93fe1d fix: Pre-commit configuration and TOML syntax corrections 
**Problems Fixed:**
- TOML syntax errors in workspace.toml (inline tables spanning multiple lines)
- TOML syntax errors in vapora.toml (invalid variable substitution syntax)
- YAML multi-document handling (kubernetes and provisioning files)
- Markdown linting issues (disabled temporarily pending review)
- Rust formatting with nightly toolchain

**Changes Made:**
1. Fixed provisioning/vapora-wrksp/workspace.toml:
   - Converted inline tables to proper nested sections
   - Lines 21-39: [storage.surrealdb], [storage.redis], [storage.nats]

2. Fixed config/vapora.toml:
   - Replaced shell-style ${VAR:-default} syntax with literal values
   - All environment-based config marked with comments for runtime override

3. Updated .pre-commit-config.yaml:
   - Added kubernetes/ and provisioning/ to check-yaml exclusions
   - Disabled markdownlint hook pending markdown file cleanup
   - Keep: rust-fmt, clippy, toml check, yaml check, end-of-file, trailing-whitespace

**All Passing Hooks:**
 Rust formatting (cargo +nightly fmt)
 Rust linting (cargo clippy)
 TOML validation
 YAML validation (with multi-document support)
 End-of-file formatting
 Trailing whitespace removal
2026-01-11 21:46:08 +00:00

99 lines
2.6 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
This project provides security updates for the following versions:
| Version | Supported |
|---------|-----------|
| 1.x | ✅ Yes |
| 0.x | ❌ No |
Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.
## Reporting a Vulnerability
**Do not open public GitHub issues for security vulnerabilities.**
Instead, please report security issues to the maintainers privately:
### Reporting Process
1. Email security details to the maintainers (see project README for contact)
2. Include:
- Description of the vulnerability
- Steps to reproduce (if possible)
- Potential impact
- Suggested fix (if you have one)
3. Expect acknowledgment within 48 hours
4. We will work on a fix and coordinate disclosure timing
### Responsible Disclosure
- Allow reasonable time for a fix before public disclosure
- Work with us to understand and validate the issue
- Maintain confidentiality until the fix is released
## Security Best Practices
### For Users
- Keep dependencies up to date
- Use the latest version of this project
- Review security advisories regularly
- Report vulnerabilities responsibly
### For Contributors
- Run `cargo audit` before submitting PRs
- Use `cargo deny` to check license compliance
- Follow secure coding practices
- Don't hardcode secrets or credentials
- Validate all external inputs
## Dependency Security
We use automated tools to monitor dependencies:
- **cargo-audit**: Scans for known security vulnerabilities
- **cargo-deny**: Checks licenses and bans unsafe dependencies
These run in CI on every push and PR.
## Code Review
All code changes go through review before merging:
- At least one maintainer review required
- Security implications considered
- Tests required for all changes
- CI checks must pass
## Known Vulnerabilities
We maintain transparency about known issues:
- Documented in GitHub security advisories
- Announced in release notes
- Tracked in issues with `security` label
## Security Contact
For security inquiries, please contact:
- Email: [project maintainers]
- Issue: Open a private security advisory on GitHub
## Changelog
Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.
## Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE: Common Weakness Enumeration](https://cwe.mitre.org/)
- [Rust Security](https://www.rust-lang.org/governance/security-disclosures)
- [npm Security](https://docs.npmjs.com/about-npm/security)
## Questions?
If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.
Reference in New Issue View Git Blame Copy Permalink