-
Notifications
You must be signed in to change notification settings - Fork 7
Security
hieuck edited this page Jul 5, 2026
·
1 revision
- Authentication: JWT access/refresh tokens, bcrypt password hashing.
- API keys: HMAC-SHA256 with per-key salts.
- CORS: Restricted origin configuration.
- Headers: Security headers via NestJS helmet.
- Static analysis: CodeQL default setup (JavaScript/TypeScript, Actions, Python).
- Container scanning: Trivy SARIF upload (detect-only for upstream base-image CVEs).
-
Secret scanning: GitHub secret scanning + custom
scripts/audit-secrets.js. -
ASVS checklist:
docs/security/asvs-checklist.md. -
Threat model:
docs/security/threat-model.md.
Do not open public issues for security bugs. Use the repository's private vulnerability reporting or contact the maintainers directly.
See docs/security/ for the full security baseline.