Please report security vulnerabilities through GitHub Security Advisories — do NOT open public issues for security bugs.
Include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested mitigations (optional)
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Status update | Weekly until resolved |
| Credit | In the security advisory (if desired) |
| Version | Supported |
|---|---|
main |
✅ |
Older tagged releases receive security fixes on a best-effort basis.
This repository implements the following security measures:
| Control | Tool |
|---|---|
| Dependency vulnerability scanning | Trivy (CRITICAL/HIGH on PRs) |
| Dependency updates | Dependabot (weekly, all ecosystems) |
| Python SAST | Bandit (HIGH severity blocks PRs) |
| Code analysis | CodeQL (security-extended queries) |
| Dockerfile lint | Hadolint |
| Secret detection | Pre-commit hooks |
| Supply chain | OpenSSF Scorecard (weekly), SHA-pinned actions |
| License compliance | Dependency Review Action (GPL/AGPL blocked) |
Changes to the following require extra scrutiny:
src/server.py— gRPC ext-proc server handling all trafficplugins/— Plugin interface and example implementations.github/workflows/— CI/CD pipelineDockerfile— Container image
We follow coordinated disclosure. Once a fix is available:
- A security advisory is published on GitHub
- A new release tag is pushed
- The advisory is made public (typically 7 days after the fix is released)