chaim/israel-law-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

chore: add security policy

Browse Source
This commit is contained in:
Jeffrey von Rotz
2026-02-20 20:56:33 +01:00
parent 9cb830a2f3
commit 0e59a05538
1 changed files with 87 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
SECURITY.md Normal file
View File

@@ -0,0 +1,87 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.x | :white_check_mark: |
| < 1.0 | :x: |
We support only the latest minor version. Please upgrade to receive security patches.
## Security Scanning
This project uses multiple layers of automated security scanning:
### Dependency Vulnerabilities
- **Dependabot**: Automated dependency updates (weekly)
- **npm audit**: Runs on every CI build
- **Socket.dev**: Supply chain attack detection
### Code Analysis
- **CodeQL**: Static analysis for security vulnerabilities (weekly + on PRs)
- **Semgrep**: SAST scanning for OWASP top 10, secrets, and TypeScript-specific issues
- **Trivy**: Filesystem, dependency, and container image vulnerability scanning
- **Gitleaks**: Secret detection across git history
### Container Security
- **Docker Security Scan**: Daily container image scanning via Trivy
- **SBOM Generation**: CycloneDX and SPDX format (365-day retention)
- **OSSF Scorecard**: OpenSSF best practices scoring
### What We Scan For
- Known CVEs in dependencies
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Regular expression denial of service (ReDoS)
- Path traversal attacks
- Supply chain attacks (malicious packages, typosquatting)
- Hardcoded secrets and credentials
## Reporting a Vulnerability
If you discover a security vulnerability:
1. **Do NOT open a public GitHub issue**
2. Email: hello@ansvar.ai
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We will respond within 48 hours and provide a timeline for a fix.
## Security Best Practices
This project follows security best practices:
- All database queries use prepared statements (no SQL injection)
- Input validation on all user-provided parameters
- Read-only database access (no write operations at runtime)
- No execution of user-provided code
- Automated security testing in CI/CD
- Regular dependency updates via Dependabot
## Database Security
### Legal Database (SQLite)
The legal database (`data/database.db`) is:
- Pre-built and version-controlled (tamper evident)
- Opened in read-only mode at runtime (no write risk)
- Source data from official government legal databases (auditable)
- Ingestion scripts require manual execution (no auto-download at runtime)
## Third-Party Dependencies
We minimize dependencies and regularly audit:
- Core runtime: Node.js, TypeScript, @ansvar/mcp-sqlite
- MCP SDK: Official Anthropic package
- No unnecessary dependencies
All dependencies are tracked via `package-lock.json` and scanned for vulnerabilities.
---
**Last Updated**: 2026-02-20