From f255d212edceef0adbc78558abaa22f498641bcb Mon Sep 17 00:00:00 2001 From: zho Date: Tue, 5 May 2026 04:41:35 +0800 Subject: [PATCH 1/3] added SECURITY.md --- SECURITY.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..9efc4fa --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +|---------|-----------| +| main | Yes | +| v0.1.x | Yes | + +Older branches or tags not listed above do not receive security fixes. + +## Reporting a Vulnerability + +**Please do not open a public GitHub issue for security vulnerabilities.** + +Report security issues through **[GitHub private vulnerability reporting](https://github.com/cppalliance/local-ci-test-system/security/advisories/new)** (preferred), or email **security@cppalliance.org** if you do not have a GitHub account. + +Include as much of the following as you can: + +- A description of the vulnerability and its impact +- Steps to reproduce or a proof-of-concept +- Affected version(s) or commit range +- Any proposed mitigation or fix + +You can expect an acknowledgement within **5 business days** and a resolution or status update within **90 days**. + +## Scope + +The following classes of vulnerability are **in scope**: + +| Category | Examples | +|---|---| +| Container escape | Breakout from Docker containers spawned by `localci run` | +| Token / secret exposure | CI tokens, Docker registry credentials, or `.localci.yml` secrets leaked to logs, temp files, or child processes | +| Path traversal | Workflow YAML or config paths that escape the project root | +| Dependency confusion / supply chain | Malicious images resolved by the image-scoring algorithm | +| Privilege escalation | Commands that gain unintended host-level access via Docker socket | + +Issues with the act runner itself, Docker Engine, or other external prerequisites should be reported to their respective projects unless the vulnerability is triggered specifically by Local CI's orchestration of those tools. + +## Out of Scope + +- Vulnerabilities in third-party dependencies (act, Docker, yq) that are not amplified by Local CI +- Denial-of-service issues with no security impact +- Theoretical vulnerabilities without a realistic attack scenario From 2c6054e5f0c1d6870dfcba78d0b4cd115479edd5 Mon Sep 17 00:00:00 2001 From: zho Date: Tue, 5 May 2026 10:19:36 +0800 Subject: [PATCH 2/3] SECURITY.md: address bradjin8 review on PR #34 - Replace semver-style Supported Versions table with pre-release develop-branch note (no tags yet) - Add encrypted-channel / PGP fingerprint offer for email reporters - Document CVE coordination via GitHub CNA and reporter credit - Clarify out-of-scope resource exhaustion vs privilege/exfil scenarios Co-authored-by: Cursor --- SECURITY.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9efc4fa..6ae4b85 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,12 +2,13 @@ ## Supported Versions -| Version | Supported | -|---------|-----------| -| main | Yes | -| v0.1.x | Yes | +Local CI is in pre-release development. There are no tagged stable releases yet +(`pyproject.toml` declares `0.1.0`, not yet tagged). -Older branches or tags not listed above do not receive security fixes. +Security fixes are produced only against the latest commit on the +[`develop`](https://github.com/cppalliance/local-ci-test-system/tree/develop) +branch. Once a `v0.1.0` tag is cut, this section will be reformatted as a +semver-style support table. ## Reporting a Vulnerability @@ -15,6 +16,10 @@ Older branches or tags not listed above do not receive security fixes. Report security issues through **[GitHub private vulnerability reporting](https://github.com/cppalliance/local-ci-test-system/security/advisories/new)** (preferred), or email **security@cppalliance.org** if you do not have a GitHub account. +If you need an encrypted channel, mention this in your initial email and a +maintainer will reply with a current PGP key fingerprint or arrange another +secure channel. + Include as much of the following as you can: - A description of the vulnerability and its impact @@ -24,6 +29,10 @@ Include as much of the following as you can: You can expect an acknowledgement within **5 business days** and a resolution or status update within **90 days**. +For confirmed vulnerabilities with user impact, CppAlliance maintainers will +request a CVE through GitHub's CNA on your behalf and credit you in the +advisory unless you ask to remain anonymous. + ## Scope The following classes of vulnerability are **in scope**: @@ -41,5 +50,6 @@ Issues with the act runner itself, Docker Engine, or other external prerequisite ## Out of Scope - Vulnerabilities in third-party dependencies (act, Docker, yq) that are not amplified by Local CI -- Denial-of-service issues with no security impact +- Resource-exhaustion or crash issues with no privilege escalation, sandbox + escape, or data-exfiltration consequence - Theoretical vulnerabilities without a realistic attack scenario From b1244ae9c36ec65ae9f5f5b0de0d9903dd0c62a9 Mon Sep 17 00:00:00 2001 From: zho Date: Wed, 6 May 2026 02:53:19 +0800 Subject: [PATCH 3/3] addressed wpak's review --- SECURITY.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 6ae4b85..d9bdd57 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,7 +14,7 @@ semver-style support table. **Please do not open a public GitHub issue for security vulnerabilities.** -Report security issues through **[GitHub private vulnerability reporting](https://github.com/cppalliance/local-ci-test-system/security/advisories/new)** (preferred), or email **security@cppalliance.org** if you do not have a GitHub account. +Report security issues through **[GitHub private vulnerability reporting](https://github.com/cppalliance/local-ci-test-system/security/advisories/new)** (preferred), or email **will@cppalliance.org** if you do not have a GitHub account. If you need an encrypted channel, mention this in your initial email and a maintainer will reply with a current PGP key fingerprint or arrange another @@ -37,13 +37,13 @@ advisory unless you ask to remain anonymous. The following classes of vulnerability are **in scope**: -| Category | Examples | -|---|---| -| Container escape | Breakout from Docker containers spawned by `localci run` | -| Token / secret exposure | CI tokens, Docker registry credentials, or `.localci.yml` secrets leaked to logs, temp files, or child processes | -| Path traversal | Workflow YAML or config paths that escape the project root | -| Dependency confusion / supply chain | Malicious images resolved by the image-scoring algorithm | -| Privilege escalation | Commands that gain unintended host-level access via Docker socket | +| Category | Examples | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------- | +| Container escape | Breakout from Docker containers spawned by `localci run` | +| Token / secret exposure | CI tokens, Docker registry credentials, or `.localci.yml` secrets leaked to logs, temp files, or child processes | +| Path traversal | Workflow YAML or config paths that escape the project root | +| Dependency confusion / supply chain | Malicious images resolved by the image-scoring algorithm | +| Privilege escalation | Commands that gain unintended host-level access via Docker socket | Issues with the act runner itself, Docker Engine, or other external prerequisites should be reported to their respective projects unless the vulnerability is triggered specifically by Local CI's orchestration of those tools.