From 92be07c0628b914c83ec04de47639c50854d25a6 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Wed, 24 Apr 2024 14:30:52 -0400 Subject: [PATCH] add security files --- .github/CODEOWNERS | 1 - .github/workflows/security-considerations.yml | 12 ++++++++++++ SECURITY.md | 17 +++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) delete mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/security-considerations.yml create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index 9e3cec0..0000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1 +0,0 @@ -* @aoldershaw diff --git a/.github/workflows/security-considerations.yml b/.github/workflows/security-considerations.yml new file mode 100644 index 0000000..daf10f9 --- /dev/null +++ b/.github/workflows/security-considerations.yml @@ -0,0 +1,12 @@ +name: Security Considerations + +on: + pull_request: + types: [opened, edited, reopened] + branches: [main, master, develop] + +jobs: + security-considerations: + runs-on: ubuntu-latest + steps: + - uses: cloud-gov/security-considerations-action@main diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ec80b3e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +**Reporting Security Issues** + +Please refrain from reporting security vulnerabilities through public GitHub issues. + +Instead, kindly report them via the information provided in [cloud.gov's security.txt](https://cloud.gov/.well-known/security.txt). + +When reporting, include the following details (as much as possible) to help us understand the nature and extent of the potential issue: + +- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of related source file(s) +- Location of affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if available) +- Impact of the issue, including potential exploitation by attackers + +Providing this information will facilitate a quicker triage of your report.