Security policy#
Reporting a vulnerability#
If you discover a security vulnerability in r⁵py, please report it privately to the maintainers to allow for a coordinated fix.
GitHub Security Advisories: Report a vulnerability
Please provide as much detail as possible, including steps to reproduce the issue and any relevant logs or screenshots.
Security practices#
We adhere to the following security measures to ensure the safety and integrity of the r⁵py project:
Dependency management#
Utilise GitHub’s Dependabot to monitor and update dependencies with known vulnerabilities.
Regularly audit dependencies for security issues.
Code quality and review#
Enforce code formatting standards using tools like
blackandflake8.Require code reviews for all pull requests to ensure adherence to security and quality standards.
Sensitive data handling#
Prohibit the inclusion of sensitive information (e.g., passwords, API keys) in the codebase.
Implement checks to detect and prevent accidental commits of sensitive data.
Access control#
Apply the principle of least privilege for repository access.
Require two-factor authentication (2FA) for all contributors with write access.
Continuous integration and deployment#
Use GitHub Actions with restricted permissions to automate testing and deployment.
Ensure that CI/CD pipelines do not expose sensitive information.
Contributor responsibilities#
All contributors are expected to follow the contribution guidelines and adhere to security best practices, including:
Regularly updating local development environments to incorporate the latest security patches.
Reviewing and testing code changes for potential security issues before submission.
Promptly addressing any security concerns raised during code reviews.
Contact#
For any security-related inquiries or concerns, please contact the maintainers.
This security policy is intended to evolve over time. We welcome feedback and suggestions to improve our security practices.