| Version | Supported |
|---|---|
main branch |
✅ Yes |
| Feature branches | Best effort |
Please report security vulnerabilities privately through one of these channels:
- GitHub Security Advisories — Go to Security → Advisories → New draft security advisory
- Direct message to repository maintainer
Do NOT report vulnerabilities via public issues, pull requests, or discussions.
- Description of the vulnerability
- Steps to reproduce (with code examples if possible)
- Potential impact (data exposure, unauthorized access, etc.)
- Affected component (API, frontend, infrastructure, etc.)
- Suggested fix (if any)
| Stage | Timeline | Action |
|---|---|---|
| Acknowledgment | Within 48 hours | Confirm receipt and initial assessment |
| Assessment | Within 1 week | Determine severity and scope |
| Fix | Within 2 weeks for critical issues | Develop and test remediation |
| Public disclosure | After fix deployed | Publish advisory, credit reporter |
This project uses automated security scanning in CI/CD. Every pull request runs the following checks:
| Tool | Category | Scans For | Blocks Merge |
|---|---|---|---|
| Semgrep | SAST | Code patterns (XSS, CSRF, insecure deserialization, hardcoded creds) | ✅ ERROR findings |
| CodeQL | SAST | Dataflow and taint analysis (injection, path traversal, etc.) | ✅ Alerts |
| Trivy (fs) | SCA | Dependency vulnerabilities (CVEs in NuGet, npm packages) | ✅ CRITICAL/HIGH |
| Trivy (image) | Container | Container image layer vulnerabilities | ✅ CRITICAL/HIGH |
| Dockle | Container | Docker image best practices (CIS Benchmarks) | ✅ ERROR findings |
| Checkov | IaC | Docker Compose misconfigurations (privileged mode, secrets, caps) | ✅ CRITICAL/HIGH |
| Gitleaks | Secrets | Hardcoded secrets via pattern matching (full git history) | ✅ Any detection |
| TruffleHog | Secrets | Active credential verification (confirms secrets are valid) | ✅ Any verified secret |
| Dependabot | SCA | Automated dependency update PRs for vulnerable packages |
All security findings appear in GitHub Security Tab → Code scanning alerts, categorized by tool:
| Category | Tool | Description |
|---|---|---|
semgrep |
Semgrep | Custom + registry rule findings |
codeql |
CodeQL | Dataflow/taint analysis results |
trivy |
Trivy (fs) | Dependency CVEs |
trivy-image |
Trivy (image) | Container layer CVEs |
checkov |
Checkov | IaC misconfigurations |
Secret scanning alerts (Gitleaks/TruffleHog) appear under Secret scanning alerts in the Security Tab.
- Never commit secrets — Use
.envfiles (gitignored) for local development - Use Value Objects — CPF, CNPJ, and other sensitive data should use domain VOs
- Validate input — All user input must be validated server-side
- Use parameterized queries — EF Core handles this, but raw SQL must use parameters
- Run security scans locally before pushing — see
CONTRIBUTING.md
This project follows security best practices aligned with:
- OWASP Top 10 — Web application security risks
- LGPD (Lei Geral de Proteção de Dados) — Brazilian data protection law
- CIS Docker Benchmarks — Container security hardening
- NSA Kubernetes Hardening Guide — Future K8s deployment security