Security practice - fish-shop/discussions GitHub Wiki
Our standard security policy is presented here for convenience. Refer to the SECURITY.md file in each project (or click the "Security" tab from the repository overview page) for details that may supersede those presented here.
Patches for security vulnerabilities will be made available at the earliest opportunity. The versions that are eligible for such patches depend on the CVSS v4.0 severity rating:
| CVSS v4.0 | Supported Versions |
|---|---|
| 9.0-10.0 | Releases within the previous three months |
| 4.0-8.9 | Most recent release |
In the first instance, please report suspected security vulnerabilities using private vulnerability reporting by navigating to the "Security" tab of the repository and clicking "Report a vulnerability". Alternatively, submit your report by email to [email protected]. You should generally expect a response within 48 hours.
All GitHub Actions projects created by fish-shop include an OpenSSF Scorecard workflow that generates a security score to help you decide upon the trust, risk, and security posture for your own use case. The README.md file for each project includes a badge indicating the current security score and the OpenSSF Scorecard Report viewer can be used to gain further insight into the restrictions that each project enforces to ensure a good security footing.
Dependabot is used across all our projects to maintain frequent dependency updates and detect known vulnerabilities.
A number of strategies are used for hardening our GitHub Actions, including use of the step-security/harden-runner action in project workflows, scanning commits for potential leaks using the gitleaks/gitleaks-action, and following GitHub's Security hardening for GitHub Actions recommendations.