chaim/israel-law-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
2476300c7ed0f71b7804eb601ce280f029cf26a4
israel-law-mcp/SECURITY.md
Jeffrey von Rotz 0e59a05538 chore: add security policy
2026-02-20 20:56:33 +01:00

2.7 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
1.x
< 1.0

We support only the latest minor version. Please upgrade to receive security patches.

Security Scanning

This project uses multiple layers of automated security scanning:

Dependency Vulnerabilities

  • Dependabot: Automated dependency updates (weekly)
  • npm audit: Runs on every CI build
  • Socket.dev: Supply chain attack detection

Code Analysis

  • CodeQL: Static analysis for security vulnerabilities (weekly + on PRs)
  • Semgrep: SAST scanning for OWASP top 10, secrets, and TypeScript-specific issues
  • Trivy: Filesystem, dependency, and container image vulnerability scanning
  • Gitleaks: Secret detection across git history

Container Security

  • Docker Security Scan: Daily container image scanning via Trivy
  • SBOM Generation: CycloneDX and SPDX format (365-day retention)
  • OSSF Scorecard: OpenSSF best practices scoring

What We Scan For

  • Known CVEs in dependencies
  • SQL injection vulnerabilities
  • Cross-site scripting (XSS)
  • Regular expression denial of service (ReDoS)
  • Path traversal attacks
  • Supply chain attacks (malicious packages, typosquatting)
  • Hardcoded secrets and credentials

Reporting a Vulnerability

If you discover a security vulnerability:

  1. Do NOT open a public GitHub issue
  2. Email: hello@ansvar.ai
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if you have one)

We will respond within 48 hours and provide a timeline for a fix.

Security Best Practices

This project follows security best practices:

  • All database queries use prepared statements (no SQL injection)
  • Input validation on all user-provided parameters
  • Read-only database access (no write operations at runtime)
  • No execution of user-provided code
  • Automated security testing in CI/CD
  • Regular dependency updates via Dependabot

Database Security

Legal Database (SQLite)

The legal database (data/database.db) is:

  • Pre-built and version-controlled (tamper evident)
  • Opened in read-only mode at runtime (no write risk)
  • Source data from official government legal databases (auditable)
  • Ingestion scripts require manual execution (no auto-download at runtime)

Third-Party Dependencies

We minimize dependencies and regularly audit:

  • Core runtime: Node.js, TypeScript, @ansvar/mcp-sqlite
  • MCP SDK: Official Anthropic package
  • No unnecessary dependencies

All dependencies are tracked via package-lock.json and scanned for vulnerabilities.

Last Updated: 2026-02-20

Reference in New Issue View Git Blame Copy Permalink