Skip to content

Security

hieuck edited this page Jul 5, 2026 · 1 revision

Security

Active security controls

  • Authentication: JWT access/refresh tokens, bcrypt password hashing.
  • API keys: HMAC-SHA256 with per-key salts.
  • CORS: Restricted origin configuration.
  • Headers: Security headers via NestJS helmet.
  • Static analysis: CodeQL default setup (JavaScript/TypeScript, Actions, Python).
  • Container scanning: Trivy SARIF upload (detect-only for upstream base-image CVEs).
  • Secret scanning: GitHub secret scanning + custom scripts/audit-secrets.js.
  • ASVS checklist: docs/security/asvs-checklist.md.
  • Threat model: docs/security/threat-model.md.

Reporting vulnerabilities

Do not open public issues for security bugs. Use the repository's private vulnerability reporting or contact the maintainers directly.

See docs/security/ for the full security baseline.

Clone this wiki locally