Skip to content

c4 Security Notes

Jump to bottom
Reguel edited this page Dec 9, 2024 · 8 revisions

Axon Ivy Banner - Mountain in Summer

When you clone the market template repository from GitHub, these security configurations are enabled by default to enhance the security of your cloned repository. image

Reporting a Vulnerability

  • What It Is:
    A SECURITY.md file in the repository that provides guidelines for reporting vulnerabilities. It helps users and contributors understand how to disclose security issues responsibly.

  • Why It’s Important:
    Ensures that security vulnerabilities are reported directly to the maintainers instead of being disclosed publicly, reducing the risk of exploitation.

Security Advisories

  • What It Is:
    Allows maintainers to create and manage private discussions around vulnerabilities. Once resolved, advisories can be turned into public security updates.

  • Why It’s Important:
    Helps to address vulnerabilities discreetly, minimizing potential risk before the patch is deployed.

Dependabot Alerts

  • What It Is:
    Automatically scans your repository for vulnerable dependencies and notifies maintainers when issues are detected.

  • Why It’s Important:
    Ensures your project uses safe versions of libraries and tools, reducing the risk of supply chain attacks.

Code Scanning Alerts

  • What It Is:
    Analyzes your codebase to detect vulnerabilities, insecure coding patterns. We're using CodeQL by default.

  • Why It’s Important:
    Identifies and fixes security risks in your code early during development.

  • How to Configure:
    Navigate to Settings → Code security and analysis → Enable Code scanning.
    Default configuration is applied. For advance configurations, add a CodeQL workflow to /.github/workflows/ on your repository, example:

name: "CodeQL Analysis"

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  analyze:
    name: Analyze Code
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'python', 'java' ] # Add your languages here

    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}

    - name: Build code
      run: |
        # Add build commands specific to your project
        echo "No build required"

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2

This workflow runs whenever code is pushed or a pull request is created.

Secret Scanning Alerts

  • What it is:
    Detects sensitive information (e.g., API keys, tokens, passwords) accidentally committed to your repository.
    Push Protection is enabled along with Secret Scanning for commits blocking.

  • Why It’s Important:
    Exposed secrets can compromise your system or give unauthorized access to malicious actors.

  • How It Works:
    Scans committed code for patterns matching known sensitive information formats (like AWS keys). Blocks pushing until all violations are resolved. Alerts are sent to repository maintainers for remediation.

By taking advantage of these built-in security configurations, your repository will be better protected from common vulnerabilities, providing peace of mind during development.

Clone this wiki locally