88 lines
2.7 KiB
Markdown
88 lines
2.7 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 1.x | :white_check_mark: |
|
|
| < 1.0 | :x: |
|
|
|
|
We support only the latest minor version. Please upgrade to receive security patches.
|
|
|
|
## Security Scanning
|
|
|
|
This project uses multiple layers of automated security scanning:
|
|
|
|
### Dependency Vulnerabilities
|
|
- **Dependabot**: Automated dependency updates (weekly)
|
|
- **npm audit**: Runs on every CI build
|
|
- **Socket.dev**: Supply chain attack detection
|
|
|
|
### Code Analysis
|
|
- **CodeQL**: Static analysis for security vulnerabilities (weekly + on PRs)
|
|
- **Semgrep**: SAST scanning for OWASP top 10, secrets, and TypeScript-specific issues
|
|
- **Trivy**: Filesystem, dependency, and container image vulnerability scanning
|
|
- **Gitleaks**: Secret detection across git history
|
|
|
|
### Container Security
|
|
- **Docker Security Scan**: Daily container image scanning via Trivy
|
|
- **SBOM Generation**: CycloneDX and SPDX format (365-day retention)
|
|
- **OSSF Scorecard**: OpenSSF best practices scoring
|
|
|
|
### What We Scan For
|
|
- Known CVEs in dependencies
|
|
- SQL injection vulnerabilities
|
|
- Cross-site scripting (XSS)
|
|
- Regular expression denial of service (ReDoS)
|
|
- Path traversal attacks
|
|
- Supply chain attacks (malicious packages, typosquatting)
|
|
- Hardcoded secrets and credentials
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability:
|
|
|
|
1. **Do NOT open a public GitHub issue**
|
|
2. Email: hello@ansvar.ai
|
|
3. Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if you have one)
|
|
|
|
We will respond within 48 hours and provide a timeline for a fix.
|
|
|
|
## Security Best Practices
|
|
|
|
This project follows security best practices:
|
|
|
|
- All database queries use prepared statements (no SQL injection)
|
|
- Input validation on all user-provided parameters
|
|
- Read-only database access (no write operations at runtime)
|
|
- No execution of user-provided code
|
|
- Automated security testing in CI/CD
|
|
- Regular dependency updates via Dependabot
|
|
|
|
## Database Security
|
|
|
|
### Legal Database (SQLite)
|
|
|
|
The legal database (`data/database.db`) is:
|
|
- Pre-built and version-controlled (tamper evident)
|
|
- Opened in read-only mode at runtime (no write risk)
|
|
- Source data from official government legal databases (auditable)
|
|
- Ingestion scripts require manual execution (no auto-download at runtime)
|
|
|
|
## Third-Party Dependencies
|
|
|
|
We minimize dependencies and regularly audit:
|
|
- Core runtime: Node.js, TypeScript, @ansvar/mcp-sqlite
|
|
- MCP SDK: Official Anthropic package
|
|
- No unnecessary dependencies
|
|
|
|
All dependencies are tracked via `package-lock.json` and scanned for vulnerabilities.
|
|
|
|
---
|
|
|
|
**Last Updated**: 2026-02-20
|