π We will do our best to our knowledge to provide maximum security when you're using our open-sourced projects.
If you are looking for just reporting an issue process, move quickly to reporting section.
βοΈ We are using the following SAST tools/services in our projects to maintain the security aspect:
| Tool / Service | Purpose | Usage |
|---|---|---|
| CodeQL | Analysis engine to automate security checks, and to perform variant analysis. | GitHub Actions* workflows: ci-cd*, scheduled* |
| DeepScan | Analyze JavaScript projects which targets runtime errors and quality issues. | Installed GitHub Apps* - DeepScan app |
| GitGuardian | Scan source code to detect API keys, passwords, certificates, encryption keys and other sensitive data. | Installed Github Apps* - GitGuardian app; GitHub Actions* workflows: ci-cd*, scheduled* |
| LGTM | Code analysis platform for finding zero-days and preventing critical vulnerabilities. | Installed GitHub Apps* - LGTM app |
| Snyk | Vulnerability scanner for project codebase. | Installed Github Apps* - Snyk app; GitHub Actions* workflows: ci-cd*, scheduled* |
| SonarCloud | Detects Security Vulnerabilities, Bugs & Code Smells, and provides clear remediation guidance to help fix issues in code. | Installed GitHub Apps* - SonarCloud app |
In order to ensure that our project depedencies stay up to date and are secure, we use the following tools/services:
| Tool/service | Purpose | Usage |
|---|---|---|
| Deadpendency | Automated checks on projects dependencies remain healthy over time. | Installed GitHub Apps* - Deadpendency app |
| Renovate | Automated dependencies updates in projects. | Installed GitHub Apps* - Renovate app |
It is configured with GitHub Actions workflows inside the public repositories
of our GitHub organisation - in the directory ./.github/workflows.
It is configured in ./.github/workflows/ci-cd.yml workflow file.
It runs on every push or pull request action to the main branch.
It is configured in ./.github/workflows/scheduled.yml workflow file.
It runs on the main branch, on specified period (not longer than
once a week).
The application is installed within our organisation with access to our public
repositories.
It runs on every push or pull request.
π€ We intend not to break any of your digital privacy rights on our
projects.
That means:
- no abusive tracking practices,
- no third-party trackers,
- no friggin Facebook pixel,
- no Google Analytics,
- or whatever else exists these days.
We all want to feel safe on the internet. As well as have our privacy respected.
"Let's be humans, not products".
π If you have found a security issue or have any concerns or doubts regarding
privacy rights, please get in touch with us.
There are possible options (the first one is recommended):
- Create GitHub's Security Advisory in the specific project repository
where the security issue exists (in the
Securitytab/pane). - Traditionally, via email: terminal-nerds@pm.me.
- Reach out to users with
AdministratororMaintainerrole on our Discord server.
-
ποΈ Our team should acknowledge your report within 7 days (we are a small team).
-
π΅οΈ The team will investigate and update the issue with relevant information.
- β If the team does NOT confirm the report, no further action will be taken by us. We will be sure to inform you regarding this result.
- β
If the team confirms the report, the team will take action to fix
it immediately:
- Commits will be handled in a private repository for review and testing.
- Release a new patch version from the private repository.
- Write an announcement post disclosing the vulnerability.