Skip to content

Security: BerryBytes/01cloud-status

Security

SECURITY.md

Security Policy

Supported versions

Security fixes are applied to the latest default branch.

Reporting a vulnerability

Do not open a public issue for security vulnerabilities.

Report vulnerabilities privately to the maintainers and include:

  • Affected component(s)
  • Reproduction steps
  • Impact assessment
  • Suggested remediation (if available)

If you do not have a private contact channel yet, ask a maintainer to establish one before sharing details publicly.

Local security checks

Run these checks before creating a release or publishing a security-sensitive change:

  • Install tools used by pre-commit hooks: gosec, govulncheck, and trivy.
  • Run: pre-commit run --all-files

Backend (Go)

  • Use a patched Go toolchain compatible with this repository's Go version.
  • gosec ./...
  • govulncheck ./...

Frontend (Node)

  • cd frontend && npm ci && npm audit --audit-level=high

Secrets and hygiene

  • pre-commit run --all-files

Container/filesystem scan (Trivy)

  • trivy fs --scanners vuln,secret,misconfig --severity HIGH,CRITICAL --exit-code 1 .

Security hardening notes

  • Never commit .env or kube credentials.
  • Rotate secrets if exposure is suspected.
  • Keep dependencies up to date and patch high severity vulnerabilities quickly.
  • Prefer least-privilege Kubernetes and database credentials for deployments.

There aren’t any published security advisories