Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update security flow to report on GitHub #10328

Merged
merged 1 commit into from
Mar 8, 2024
Merged

Update security flow to report on GitHub #10328

merged 1 commit into from
Mar 8, 2024

Conversation

bluwy
Copy link
Member

@bluwy bluwy commented Mar 5, 2024
edited
Loading

Changes

Update SECURITY.md to use GitHub to report vulnerabilties. This is only for this repo, for other repos it'll fallback to the default in https://github.com/withastro/.github/blob/main/SECURITY.md (via email).

Starting this PR as a point of discussion, we could decide whether we want to do this or not. From Discord, this new flow will look like:

  1. First, we need to enable the feature at https://github.com/withastro/astro/settings/security_analysis
  2. When creating a bug report, users can choose to submit a security report instead, e.g. vite
  3. Users can fill in the form to describe the severity and explain in private. Only repo admins can see unless they invite others.
  4. We can triage them (comment, close, update descriptions/severity, etc similar to GH issues), and if it's real, we can work on a fix.
  5. After a fix is done, we can update the report to describe the versions fixed, add extra explanation, etc, then accept the report.
  6. Someone from GitHub will then publish the CVE for us.

Compared to the email approach, this allows us to easily publish CVE, credit the folks who found the vulnerability, and is easier to discover (npm audit).

Testing

n/a

Docs

n/a

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 5, 2024

⚠️ No Changeset found

Latest commit: c0f0480

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@bluwy bluwy changed the title Update security flow Update security flow to report on GitHub Mar 5, 2024
@ematipico
Copy link
Member

Sounds like a good starting point. I would argue that ALL repositories should follow the same approach, but that's not part of this PR.

@bluwy
Copy link
Member Author

bluwy commented Mar 5, 2024

Oh I didn't know you can enable all on existing repos at once. I'm not sure how useful it is for every repo, but I suppose as a start we can test it out for the important repos.

@florian-lefebvre florian-lefebvre mentioned this pull request Mar 7, 2024
Merged
@ematipico
Copy link
Member

I am going to merge it, we can still apply changes if someone has some feedback to add

@ematipico ematipico merged commit 33616ba into main Mar 8, 2024
2 checks passed
@ematipico ematipico deleted the update-security-flow branch March 8, 2024 09:58
@bluwy
Copy link
Member Author

bluwy commented Mar 8, 2024

I was also waiting for Fred's input before merging this (DM-ed him yesterday). Since we have Fred, Matthew, and Nate in the security contacts. Don't mind merging though but cc @FredKSchott in case he has thoughts on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ematipico ematipico ematipico approved these changes

@matthewp matthewp matthewp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bluwy @ematipico @matthewp