| Version | Supported |
|---|---|
| 0.26.x | ✅ |
Sruja uses automated security scanning in CI:
- npm audit: Dependency vulnerability scanning
- Runs on: Push, PR, weekly schedule
- Location:
.github/workflows/security.yml
- Elliptic (6 low) – Transitive via
vite-plugin-node-polyfills→node-stdlib-browser→crypto-browserify. We overrideellipticto 6.6.1 (patched) in rootpackage.json, so the installed version is safe. npm audit still reports the chain by declaration. - ESLint <9.26.0 (3 moderate) – In unimported (dev-only, optional:
check:unused:files). Unimported pins an older@typescript-eslint/parserthat depends on eslint 8. No upstream fix without replacing unimported; impact is limited to dev tooling (stack overflow when serializing circular refs). Acceptable for optional dev dependency.
- Dependency Review Action: Reviews dependency changes in PRs
- Runs on: Pull requests only
- Blocks PRs with moderate+ severity vulnerabilities
- TruffleHog: Scans for accidentally committed secrets
- Runs on: Push, PR
- Prevents secrets from being committed
If you discover a security vulnerability, please DO NOT open a public issue.
Instead, please email security@sruja.ai with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to resolve the issue.
- Never commit secrets: API keys, passwords, tokens, etc.
- Validate inputs: Validate CLI arguments (Clap) and DSL inputs (parser + validator). Treat all user-provided strings as untrusted.
- Sanitize file paths: Resolve and validate paths before reading/writing; avoid path traversal by constraining reads/writes to the workspace root.
- Keep dependencies updated: Run
npm auditandcargo updateregularly - Review security reports: Check CI security scan results
- Keep Sruja updated: Use the latest version
- Review generated code: Always review code generated from untrusted sources
- Validate inputs: Validate all user inputs before processing
- Use HTTPS: Always use HTTPS for network requests
- DSL parsing and validation is centralized in Rust (parser + validator), producing structured diagnostics without leaking sensitive data.
- VS Code extension operations should validate user/workspace inputs (paths, URIs, JSON) before invoking the CLI or WASM.
Sruja is local-first and does not transmit repository contents to external services unless you explicitly configure enrichment (e.g. --enrich-cmd or OpenAI-compatible settings).
See PRIVACY_AND_RETENTION.md for details on emitted data and retention guidance.
- Structured error types that don't leak sensitive information
- Error sanitization in logging
- No stack traces in production error messages
- Minimal external dependencies
- Regular security audits
- Pinned dependency versions
- WASM modules are executed in isolated environments
- No direct file system access from WASM
- All I/O is mediated through adapters
- LSP server runs locally (not exposed to network)
- No remote code execution
- File access limited to workspace
- The project does not rely on browser storage for core security guarantees.
All release tags are GPG signed for authenticity verification.
# Download and import the public key
curl -s https://raw.githubusercontent.com/sruja-ai/sruja/main/.github/gpg-public-key.asc | gpg --import
# Or import from the repository
gpg --import .github/gpg-public-key.asc# Verify a specific tag
git tag -v v1.2.3
# List all tags with verification
git tag -vThe public key is also available at: .github/gpg-public-key.asc
Key Details:
- Name: Sruja Bot (Runs Sruja Workflows)
- Email: bot@sruja.ai
- Purpose: Signs all release tags created by CI/CD workflows
Security updates will be:
- Released as patch versions (0.26.x)
- Documented in CHANGELOG.md
- Announced via GitHub security advisories
- GPG signed for verification