-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: move security page to security policy
- Loading branch information
Showing
2 changed files
with
72 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| # Security Policy | ||
|
|
||
| Because QDT is meant to be carried out on large-scale IT infrastructures, security is one of the development challenges. It's enforced through automated checks, which are mainly executed in CI. You can also run the most of them manually. | ||
|
|
||
| ## Automated security checks | ||
|
|
||
| - [GitGuardian](https://www.gitguardian.com/): detects secrets in the source code to help developers and security teams secure the modern development process. | ||
| - [Github Code QL](https://codeql.github.com/): GitHub integrated tool to discover vulnerabilities across a codebase | ||
| - [Dependabot Alerts](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-dependabot): GitHub integrated tool that keeps dependencies up to date by informing of any security vulnerabilities in project's dependencies, and automatically opens pull requests to upgrade dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published. | ||
| - [GitHub secret scanning](https://docs.github.com/code-security/secret-scanning/secret-scanning-patterns#supported-secrets): integrated Github secrets scanning to receive alerts for detected secrets, keys, or other tokens. | ||
| - [Bandit](https://bandit.readthedocs.io): Bandit is a tool designed to find common security issues in Python code. Aslo executed for every commit as git hook. | ||
| - [Safety](https://pypi.org/project/safety/): Safety is a tool (part of PyUp security suite) designed to scan dependencies. | ||
|
|
||
| ---- | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| We release patches for security vulnerabilities. Which versions are eligible for | ||
| receiving such patches depends on the CVSS v3.0 Rating. | ||
|
|
||
| For now, no vulnerability has been found. | ||
|
|
||
| ---- | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Please report (suspected) security vulnerabilities to **[qgis+security@oslandia.com](mailto:security@ory.sh)**. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days. | ||
|
|
||
| ---- | ||
|
|
||
| ## Run security checks manually | ||
|
|
||
| Some checks can be executed on the developer side. | ||
|
|
||
| ### Install dependencies related to security | ||
|
|
||
| ```sh | ||
| python -m pip install -U -r requirements/security.txt | ||
| ``` | ||
|
|
||
| ### Run bandit chekcs | ||
|
|
||
| In a terminal: | ||
|
|
||
| ```sh | ||
| bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt | ||
| ``` | ||
|
|
||
| It's also possible to get results as a CSV: | ||
|
|
||
| ```sh | ||
| bandit --configfile bandit.yaml --format csv --output bandit_report.csv -r qgis_deployment_toolbelt | ||
| ``` | ||
|
|
||
| Then open the `bandit_report.csv` file. | ||
|
|
||
| ## Run Safety | ||
|
|
||
| In a terminal: | ||
|
|
||
| ```sh | ||
| safety check --full-report --output screen -r requirements/base.txt | ||
| ``` | ||
|
|
||
| It's also possible to get results in a text format: | ||
|
|
||
| ```sh | ||
| safety check --full-report --output text -r requirements/base.txt > safety_report.txt | ||
| ``` | ||
|
|
||
| Then open the `safety_report.txt` file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,56 +1,2 @@ | ||
| # Security | ||
|
|
||
| Because QDT is meant to be carried out on large-scale IT infrastructures, security is one of the development challenges. It's enforced through automated checks, which are mainly executed in CI. You can also run the most of them manually. | ||
|
|
||
| ## Automated security checks | ||
|
|
||
| - [GitGuardian](https://www.gitguardian.com/): detects secrets in the source code to help developers and security teams secure the modern development process. | ||
| - [Github Code QL](https://codeql.github.com/): GitHub integrated tool to discover vulnerabilities across a codebase | ||
| - [Dependabot Alerts](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-dependabot): GitHub integrated tool that keeps dependencies up to date by informing of any security vulnerabilities in project's dependencies, and automatically opens pull requests to upgrade dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published. | ||
| - [GitHub secret scanning](https://docs.github.com/code-security/secret-scanning/secret-scanning-patterns#supported-secrets): integrated Github secrets scanning to receive alerts for detected secrets, keys, or other tokens. | ||
| - [Bandit](https://bandit.readthedocs.io): Bandit is a tool designed to find common security issues in Python code. Aslo executed for every commit as git hook. | ||
| - [Safety](https://pypi.org/project/safety/): Safety is a tool (part of PyUp security suite) designed to scan dependencies. | ||
|
|
||
| ---- | ||
|
|
||
| ## Run security checks manually | ||
|
|
||
| Some checks can be executed on the developer side. | ||
|
|
||
| ### Install dependencies related to security | ||
|
|
||
| ```sh | ||
| python -m pip install -U -r requirements/security.txt | ||
| ```{include} ../../SECURITY.md | ||
| ``` | ||
|
|
||
| ### Run bandit chekcs | ||
|
|
||
| In a terminal: | ||
|
|
||
| ```sh | ||
| bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt | ||
| ``` | ||
|
|
||
| It's also possible to get results as a CSV: | ||
|
|
||
| ```sh | ||
| bandit --configfile bandit.yaml --format csv --output bandit_report.csv -r qgis_deployment_toolbelt | ||
| ``` | ||
|
|
||
| Then open the `bandit_report.csv` file. | ||
|
|
||
| ## Run Safety | ||
|
|
||
| In a terminal: | ||
|
|
||
| ```sh | ||
| safety check --full-report --output screen -r requirements/base.txt | ||
| ``` | ||
|
|
||
| It's also possible to get results in a text format: | ||
|
|
||
| ```sh | ||
| safety check --full-report --output text -r requirements/base.txt > safety_report.txt | ||
| ``` | ||
|
|
||
| Then open the `safety_report.txt` file. |