Conversation
There was a problem hiding this comment.
Pull request overview
Adds a repository security policy document (SECURITY.md) describing supported versions, how to report vulnerabilities, threat model highlights, and disclosure expectations.
Changes:
- Introduces a “Supported Versions” policy and private vulnerability reporting channels.
- Documents key risk areas (processor loading, YAML parsing, filesystem access, worker parallelism).
- Adds security best practices for processor authors and a coordinated disclosure policy.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Version | Supported | | ||
| |---------|-----------| | ||
| | Latest (`main`) | ✅ | | ||
| | Older releases | ❌ | |
There was a problem hiding this comment.
The Markdown table syntax in this section starts each row with ||, which renders an unintended empty first column (or may fail to render as expected). Use a single leading | per row so the Supported Versions table formats correctly.
| | Latest (`main`) | ✅ | | ||
| | Older releases | ❌ | | ||
|
|
||
| We only provide security fixes for the latest release. Please update before reporting. |
There was a problem hiding this comment.
This text says security fixes are only provided for the latest release, but the table describes support as “Latest (main)”. Please reconcile this (e.g., refer to the latest tagged release, or explicitly state that only the main branch is supported) so the policy is unambiguous.
| We only provide security fixes for the latest release. Please update before reporting. | |
| We only provide security fixes for the latest `main` branch. Please update before reporting. |
|
|
||
| Report vulnerabilities privately via one of the following: | ||
|
|
||
| - **GitHub Private Advisories**: [Security Advisories](https://github.com/416rehman/DeepZero/security/advisories/new) |
There was a problem hiding this comment.
The Security Advisory link is hard-coded to https://github.com/416rehman/DeepZero/..., which will be incorrect for forks or if the repo is transferred/renamed. Prefer a relative link (e.g., /security/advisories/new) so it stays correct regardless of the repository owner/name.
| - **GitHub Private Advisories**: [Security Advisories](https://github.com/416rehman/DeepZero/security/advisories/new) | |
| - **GitHub Private Advisories**: [Security Advisories](/security/advisories/new) |
| - Keep `setup()` / `teardown()` symmetric, don't leave sockets or file handles open. | ||
| - Run the required linting and security scan before submitting: | ||
| ```bash | ||
| ruff check . && ruff format --check . && bandit -r src processors |
There was a problem hiding this comment.
The recommended Bandit command here doesn’t match the CI gate (CI runs Bandit with -ll -ii and -c pyproject.toml over the repo). Consider updating the documented command to mirror CI so contributors get the same findings locally (and so Bandit picks up the repo’s config/excludes).
| ruff check . && ruff format --check . && bandit -r src processors | |
| ruff check . && ruff format --check . && bandit -r -ll -ii -c pyproject.toml . |
No description provided.