Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 7aff30c

Browse files
jsjoeiojsjoeio
committedMay 4, 2021
docs(security): add section for tools
1 parent 75e9e24 commit 7aff30c

File tree

1 file changed

+21
-3
lines changed

1 file changed

+21
-3
lines changed
 

‎docs/SECURITY.md

+21-3
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,30 @@
11
# Security Policy
22

3+
The code-server team (and Coder, the organization) care a lot about keeping the project secure and safe for end-users.
4+
5+
## Tools
6+
7+
We use a combination of tools to help us stay up-to-date and fix vulnerabilities.
8+
9+
- [dependabot](https://dependabot.com/)
10+
- Automatically keeps code-server up-to-date by updating dependencies in response to security alerts.
11+
- See alerts [here](https://github.com/cdr/code-server/security/dependabot).
12+
- code-scanning
13+
- [CodeQL](https://securitylab.github.com/tools/codeql/)
14+
- Semantic code analysis engine that runs on a [regular schedule](../.github/workflows/codeql-analysis.yml#L9-L11).
15+
- [trivy](https://github.com/aquasecurity/trivy)
16+
- Comprehensive vulnterability scanner that runs on PRs into the default branch and scans both our [Docker image](../.github/workflows/ci.yaml#L410-L439)) and [repository code](../.github/workflows/ci.yaml#L444-L466).
17+
- See alerts [here](https://github.com/cdr/code-server/security/code-scanning).
18+
- [`audit-ci`](https://github.com/IBM/audit-ci)
19+
- Audits npm and Yarn dependencies [in CI](../.github/workflows/ci.yaml#L46-L48) on PRs into the default branch and fails CI if [moderate or higher vulnerabilities](../ci/dev/audit.sh#L7-L9) are present.
20+
321
## Supported Versions
422

523
Coder sponsors development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report, and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
624

7-
| Version | Supported |
8-
| ------- | ------------------ |
9-
| 3.9.3 | :white_check_mark: |
25+
| Version | Supported |
26+
| ----------------------------------------------------- | ------------------ |
27+
| [Latest](https://github.com/cdr/code-server/releases) | :white_check_mark: |
1028

1129
## Reporting a Vulnerability
1230

0 commit comments

Comments
 (0)
Please sign in to comment.