If you find a significant vulnerability, or evidence of one, please report it privately.

We prefer that you use the GitHub mechanism for privately reporting a vulnerability. Under the main repository's security tab, click "Report a vulnerability" to open the advisory form.

If you have any further concerns that are not addressed by this process, please submit a case through the Ed-Fi Community Hub

The following tools have been implemented in this repository to automate aspects of application security. Overall security posture and status is reviewed regularly with the help of the OpenSSF Scorecard, internal auditing, and external auditing.

1. Static Application Security Testing (SAST) using CodeQL.
2. Dependency review and analysis using Dependabot (nightly review of the main branch) and actions/dependency-review-action (review of new dependencies in pull requests).
3. Trojan Source detection.

1. Direct write permissions in GitHub are limited to trusted development team members.
2. Pull requests are always required for merge to main, with at least one reviewer.
3. Changes to GitHub Actions workflows require approval from a core team member.
4. GitHub workflows are pinned to specific known SHA256 hash values, and builds will fail if there are unapproved Actions in the pull request.

1. Binaries are built and managed directly inside GitHub, not by developers.
2. Releases contain provenance attestations and a software bill of materials (SBOM) files describing the build process and dependencies.
3. Docker images are pinned to specific known SHA256 hash values.