jesus/Vapora
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Vapora/SECURITY.md
Jesús Pérez ac3f93fe1d fix: Pre-commit configuration and TOML syntax corrections 
**Problems Fixed:**
- TOML syntax errors in workspace.toml (inline tables spanning multiple lines)
- TOML syntax errors in vapora.toml (invalid variable substitution syntax)
- YAML multi-document handling (kubernetes and provisioning files)
- Markdown linting issues (disabled temporarily pending review)
- Rust formatting with nightly toolchain

**Changes Made:**
1. Fixed provisioning/vapora-wrksp/workspace.toml:
   - Converted inline tables to proper nested sections
   - Lines 21-39: [storage.surrealdb], [storage.redis], [storage.nats]

2. Fixed config/vapora.toml:
   - Replaced shell-style ${VAR:-default} syntax with literal values
   - All environment-based config marked with comments for runtime override

3. Updated .pre-commit-config.yaml:
   - Added kubernetes/ and provisioning/ to check-yaml exclusions
   - Disabled markdownlint hook pending markdown file cleanup
   - Keep: rust-fmt, clippy, toml check, yaml check, end-of-file, trailing-whitespace

**All Passing Hooks:**
 Rust formatting (cargo +nightly fmt)
 Rust linting (cargo clippy)
 TOML validation
 YAML validation (with multi-document support)
 End-of-file formatting
 Trailing whitespace removal
2026-01-11 21:46:08 +00:00

2.6 KiB
Raw Blame History

Security Policy

Supported Versions

This project provides security updates for the following versions:

Version Supported
1.x Yes
0.x No

Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.

Reporting a Vulnerability

Do not open public GitHub issues for security vulnerabilities.

Instead, please report security issues to the maintainers privately:

Reporting Process

  1. Email security details to the maintainers (see project README for contact)

  2. Include:

    • Description of the vulnerability
    • Steps to reproduce (if possible)
    • Potential impact
    • Suggested fix (if you have one)

  3. Expect acknowledgment within 48 hours

  4. We will work on a fix and coordinate disclosure timing

Responsible Disclosure

  • Allow reasonable time for a fix before public disclosure
  • Work with us to understand and validate the issue
  • Maintain confidentiality until the fix is released

Security Best Practices

For Users

  • Keep dependencies up to date
  • Use the latest version of this project
  • Review security advisories regularly
  • Report vulnerabilities responsibly

For Contributors

  • Run cargo audit before submitting PRs
  • Use cargo deny to check license compliance
  • Follow secure coding practices
  • Don't hardcode secrets or credentials
  • Validate all external inputs

Dependency Security

We use automated tools to monitor dependencies:

  • cargo-audit: Scans for known security vulnerabilities
  • cargo-deny: Checks licenses and bans unsafe dependencies

These run in CI on every push and PR.

Code Review

All code changes go through review before merging:

  • At least one maintainer review required
  • Security implications considered
  • Tests required for all changes
  • CI checks must pass

Known Vulnerabilities

We maintain transparency about known issues:

  • Documented in GitHub security advisories
  • Announced in release notes
  • Tracked in issues with security label

Security Contact

For security inquiries, please contact:

  • Email: [project maintainers]
  • Issue: Open a private security advisory on GitHub

Changelog

Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.

Resources

Questions?

If you have security questions (not vulnerabilities), open a discussion or issue with the security label.