From 1553c43080f117f82d8620e6fb0114483e7b28c3 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Sun, 24 Mar 2024 23:12:49 +0100 Subject: [PATCH] Document security measures (#6812) * add security commitment * fix badge path * set token permissions see https://github.com/inventree/InvenTree/security/code-scanning/48 * add more chapters * break up flow text * spellchecking * Revert "set token permissions" This reverts commit 6deb33000f68ca207c0f40189a43ae2d379f0bac. * Add pattern for social media providers restrictive APIs --- README.md | 2 +- docs/docs/security.md | 53 +++++++++++++++++++++++++++++++++++++++++++ docs/mkdocs.yml | 1 + docs/mlc_config.json | 6 +++++ 4 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 docs/docs/security.md diff --git a/README.md b/README.md index e5b69e4f94..4f3786e266 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![Documentation Status](https://readthedocs.org/projects/inventree/badge/?version=latest)](https://inventree.readthedocs.io/en/latest/?badge=latest) ![Docker Build](https://github.com/inventree/inventree/actions/workflows/docker.yaml/badge.svg) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7179/badge)](https://bestpractices.coreinfrastructure.org/projects/7179) -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/inventree/inventree/badge)](https://securityscorecards.dev/viewer/?uri=github.com/inventree/inventree) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/inventree/InvenTree/badge)](https://securityscorecards.dev/viewer/?uri=github.com/inventree/InvenTree) [![Netlify Status](https://api.netlify.com/api/v1/badges/9bbb2101-0a4d-41e7-ad56-b63fb6053094/deploy-status)](https://app.netlify.com/sites/inventree/deploys) [![DeepSource](https://app.deepsource.com/gh/inventree/InvenTree.svg/?label=active+issues&show_trend=false&token=trZWqixKLk2t-RXtpSIAslVJ)](https://app.deepsource.com/gh/inventree/InvenTree/) diff --git a/docs/docs/security.md b/docs/docs/security.md new file mode 100644 index 0000000000..8208380f21 --- /dev/null +++ b/docs/docs/security.md @@ -0,0 +1,53 @@ + +The InvenTree project is committed to providing a secure and safe environment for all users. We know that many of our users rely on InvenTree to manage the inventory and manufacturing for their small and mid-size businesses, and we take that responsibility seriously. + +To that end, we have implemented a number of security measures over the years, which we will outline in this document. + +## Organisational measures + +The InvenTree project is managed by a small team of developers, who are responsible for the ongoing development and maintenance of the software. Two geographically distributed users have administrative access to the InvenTree codebase. Merges are only done by one of these two users, the maintainer Oliver. +InvenTree is open-source, and we welcome contributions from the community. However, all contributions are reviewed and scrutinised before being merged into the codebase. + +We provide a written [Security Policy](https://github.com/inventree/InvenTree/blob/master/SECURITY.md) in our main repo to ensure that all security issues are handled in a timely manner. + +If we become aware of a security issue, we will take immediate action to address the issue, and will provide a public disclosure of the issue once it has been resolved. We support assigning CVEs to security issues where appropriate. Our past security advisories can be found [here](https://github.com/inventree/InvenTree/security/advisories). + +## Technical measures + +### Code hosting + +The InvenTree project is hosted on GitHub, and we rely on the security measures provided by GitHub to help protect the integrity of the codebase. + +Among those are: + +- Short-lived tokens where possible +- Dependabot for automated dependency updates / alerts +- Integrated security reporting +- (Optional but encouraged) Two-factor authentication for user accounts +- (Optional but encouraged) Signed commits / actions + +### Code style + +We enforce style and security checks in our CI/CD pipeline, and we have several automated tests to ensure that the codebase is secure and functional. +Checks are run on every pull request, and we require that all checks pass before a pull request can be merged. + +### Current versions + +InvenTree is built using the Django framework, which has a strong focus on security. We follow best practices for Django development, and we are committed to keeping the codebase up-to-date with the latest security patches and within supported versions. + +### Test coverage + +We run coverage tests on our codebase to ensure that we have a high level of test coverage above 90%. This is public and can be found [here](https://coveralls.io/github/inventree/InvenTree). + +### Pinning dependencies + +We are pinning dependencies to specific versions - aiming for complete reproducibility of builds - wherever possible. Combined with continuous OSV checks, we are able to react quickly to security issues in our dependencies. + +## Best practices + +We follow most of GitHubs community best practices, check our compliance [here](https://github.com/inventree/InvenTree/community). + +We also follow OpenSSF recommendations where applicable and take part in multiple of their security efforts: + +- OSSF Best Practices, currently at a [level of passing](https://www.bestpractices.dev/de/projects/7179) +- OSSF Scorecard, running with each merge [check current state](https://securityscorecards.dev/viewer/?uri=github.com/inventree/InvenTree) diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 79b0c02a1e..386881bf41 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -84,6 +84,7 @@ nav: - Credits: credits.md - Privacy: privacy.md - Release Notes: releases/release_notes.md + - Security: security.md - Install: - Introduction: start/intro.md - Configuration: start/config.md diff --git a/docs/mlc_config.json b/docs/mlc_config.json index 1a1cf8b46f..4146cd4cb2 100644 --- a/docs/mlc_config.json +++ b/docs/mlc_config.json @@ -8,6 +8,12 @@ }, { "pattern": "http://127.0.0.1" + }, + { + "pattern": "https://twitter.com/inventreedb" + }, + { + "pattern": "https://www.reddit.com/r/InvenTree/" } ] }