Skip to content

Security: mackeh/ForgeFlow

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are provided for the latest code line only.

Version Supported
main Yes
Latest tagged release (v1.x) Yes
Older tags/branches No

Automated Security Scanning

Security scanning runs automatically in CI and on a weekly schedule so newly disclosed issues are caught even without new commits:

  • CodeQL (.github/workflows/codeql.yml) — SAST for JavaScript/TypeScript and Python using the security-and-quality query suite.
  • Dependency Review — blocks PRs that introduce high-severity vulnerable dependencies (.github/workflows/security.yml).
  • npm audit + pip-audit — scan production dependencies for known advisories on every PR, push to main, and weekly.
  • Dependabot (.github/dependabot.yml) — weekly dependency update PRs for npm, pip, GitHub Actions, and Docker, plus automatic security updates.

Hardening & Deployment Notes

  • Set strong, unique JWT_SECRET and SECRET_ENCRYPTION_KEY (≥ 16 chars). With NODE_ENV=production the server refuses to start if either is unset or a known default value.
  • Lock down browser access with CORS_ORIGIN (comma-separated allowlist) in shared deployments.
  • Outbound workflow/webhook requests to cloud-metadata/link-local addresses (e.g. 169.254.169.254) are always blocked; set SSRF_BLOCK_PRIVATE=true to also block private/loopback ranges.
  • The CSV import node reads only inside CSV_IMPORT_DIR (defaults to the working directory) to prevent path traversal.
  • JWTs are pinned to HS256; secrets are redacted from request logs and error messages; TOTP and password comparisons are constant-time.

Reporting a Vulnerability

Please do not open public GitHub issues for security vulnerabilities.

Use GitHub's private vulnerability reporting for this repository:

  1. Go to the repository Security tab.
  2. Open Report a vulnerability.
  3. Include clear reproduction steps, affected components, impact, and suggested mitigation if available.

If private reporting is unavailable, contact the repository owner directly and include the same details.

What to Include

  • Affected version/commit (git rev-parse --short HEAD if possible)
  • Environment details (OS, Docker version, browser, etc.)
  • Steps to reproduce
  • Proof-of-concept or logs/screenshots
  • Impact assessment (confidentiality, integrity, availability)
  • Any known workaround

Response Targets

  • Initial acknowledgment: within 72 hours
  • Triage decision: within 7 days
  • Status updates: at least every 7 days while active

Disclosure Process

  • We follow coordinated disclosure.
  • Please allow time for validation, fix development, and release before public disclosure.
  • After a fix is released, we may publish a summary advisory and mitigation guidance.

Scope Notes

In scope:

  • Authentication/authorization bypass
  • Secret leakage or encryption weaknesses
  • Remote code execution
  • SSRF, injection, path traversal, deserialization risks
  • Workflow execution isolation failures

Out of scope (unless chained with security impact):

  • Feature requests
  • UI/UX bugs without security impact
  • Self-host misconfiguration without product defect
  • Denial of service requiring unrealistic local-only assumptions

Safe Harbor

We support good-faith security research. If you act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate, we will not pursue legal action for your research.

There aren't any published security advisories