From 3e5239f7d35e57749c01adf3dbbcd365aebb39c8 Mon Sep 17 00:00:00 2001
From: undergroundwires <git@undergroundwires.dev>
Date: Thu, 28 Sep 2023 15:19:09 +0200
Subject: [PATCH] Add SAST security checks with SECURITY.md #178

This commit incorporates Static Analysis Security Testing (SAST) using
CodeQL. This integration will enforce consistent security assessments
with every change and on a predetermined schedule.

This commit also involves a restructure of security checks. The existing
security-checks workflow is renamed to better reflect its functionality
related to dependency audits.

These changes will enhance the project's resilience against potential
vulnerabilities in both the codebase and third-party dependencies.

Changes include:

- Remove older LGTM badge that's replaced by SAST checks.
- Rename `checks.security.yaml` to `checks.security.dependencies.yaml`,
  reinforcing the focus on dependency audits.
- Update `README.md`, ensuring the clear representation of security
  check statuses, including new SAST integration.
- Add new `SECURITY.md`, establishing the protocol for reporting
  vulnerabilities and outlining the project's commitment to robust
  security testing.
- Enhance `docs/tests.md` with detailed information on the newly
  integrated security checks.
- Add reference to SECURITY.md in README.md.
---
 ...yaml => checks.security.dependencies.yaml} |  2 +-
 .github/workflows/checks.security.sast.yaml   | 42 +++++++++++++++++++
 README.md                                     | 32 +++++++-------
 SECURITY.md                                   | 31 ++++++++++++++
 docs/tests.md                                 |  5 +++
 5 files changed, 97 insertions(+), 15 deletions(-)
 rename .github/workflows/{checks.security.yaml => checks.security.dependencies.yaml} (93%)
 create mode 100644 .github/workflows/checks.security.sast.yaml
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/checks.security.yaml b/.github/workflows/checks.security.dependencies.yaml
similarity index 93%
rename from .github/workflows/checks.security.yaml
rename to .github/workflows/checks.security.dependencies.yaml
index 543c05e8..0bd23dca 100644
--- a/.github/workflows/checks.security.yaml
+++ b/.github/workflows/checks.security.dependencies.yaml
@@ -1,4 +1,4 @@
-name: security-checks
+name: checks.security.dependencies
 
 on:
   push:
diff --git a/.github/workflows/checks.security.sast.yaml b/.github/workflows/checks.security.sast.yaml
new file mode 100644
index 00000000..8df97017
--- /dev/null
+++ b/.github/workflows/checks.security.sast.yaml
@@ -0,0 +1,42 @@
+name: checks.security.sast
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # at 00:00 on every Sunday
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [
+          javascript # analyzes code written in JavaScript, TypeScript and both.
+        ]
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+      -
+        name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/README.md b/README.md
index 0a018859..f9e10681 100644
--- a/README.md
+++ b/README.md
@@ -16,14 +16,6 @@
       src="https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat"
     />
   </a>
-  <!-- Code quality -->
-  <br />
-  <a href="https://lgtm.com/projects/g/undergroundwires/privacy.sexy/context:javascript" target="_blank" rel="noopener noreferrer">
-    <img
-      alt="Language grade: JavaScript/TypeScript"
-      src="https://img.shields.io/lgtm/grade/javascript/g/undergroundwires/privacy.sexy.svg?logo=lgtm&logoWidth=18"
-    />
-  </a>
   <a href="https://codeclimate.com/github/undergroundwires/privacy.sexy/maintainability" target="_blank" rel="noopener noreferrer">
     <img
       alt="Maintainability"
@@ -50,6 +42,20 @@
       src="https://github.com/undergroundwires/privacy.sexy/workflows/e2e-tests/badge.svg"
     />
   </a>
+  <!-- Security checks -->
+  <br />
+  <a href="https://github.com/undergroundwires/privacy.sexy/actions/workflows/checks.security.sast.yaml" target="_blank" rel="noopener noreferrer">
+    <img
+      alt="Status of dependency security checks"
+      src="https://github.com/undergroundwires/privacy.sexy/workflows/checks.security.sast/badge.svg"
+    />
+  </a>
+  <a href="https://github.com/undergroundwires/privacy.sexy/actions/workflows/checks.security.dependencies.yaml" target="_blank" rel="noopener noreferrer">
+    <img
+      alt="Status of Static Analysis Security Testing (SAST)"
+      src="https://github.com/undergroundwires/privacy.sexy/workflows/checks.security.dependencies/badge.svg"
+    />
+  </a>
   <!-- Checks -->
   <br />
   <a href="https://github.com/undergroundwires/privacy.sexy/actions/workflows/checks.quality.yaml" target="_blank" rel="noopener noreferrer">
@@ -58,12 +64,6 @@
       src="https://github.com/undergroundwires/privacy.sexy/workflows/quality-checks/badge.svg"
     />
   </a>
-  <a href="https://github.com/undergroundwires/privacy.sexy/actions/workflows/checks.security.yaml" target="_blank" rel="noopener noreferrer">
-    <img
-      alt="Security checks status"
-      src="https://github.com/undergroundwires/privacy.sexy/workflows/security-checks/badge.svg"
-    />
-  </a>
   <a href="https://github.com/undergroundwires/privacy.sexy/actions/workflows/checks.build.yaml" target="_blank" rel="noopener noreferrer">
     <img
       alt="Status of build checks"
@@ -157,3 +157,7 @@ Refer to [development.md](./docs/development.md) for Docker usage and reading mo
 Check [architecture.md](./docs/architecture.md) for an overview of design and how different parts and layers work together. You can refer to [application.md](./docs/application.md) for a closer look at application layer codebase and [presentation.md](./docs/presentation.md) for code related to GUI layer. [collection-files.md](./docs/collection-files.md) explains the YAML files that are the core of the application and [templating.md](./docs/templating.md) documents how to use templating language in those files. In [ci-cd.md](./docs/ci-cd.md), you can read more about the pipelines that automates maintenance tasks and ensures you get what see.
 
 [docs/](./docs/) folder includes all other documentation.
+
+## Security
+
+Security is a top priority at privacy.sexy. An extensive commitment to security verification ensures this priority. For any security concerns or vulnerabilities, please consult the [Security Policy](./SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..62b90e5b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+privacy.sexy takes security seriously. Commitment is made to address all security issues with urgency. Responsible reporting of any discovered vulnerabilities in the project is highly encouraged.
+
+## Reporting a Vulnerability
+
+Efforts to responsibly disclose findings are greatly appreciated. To report a security vulnerability, follow these steps:
+
+- For general vulnerabilities, [open an issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose) using the bug report template.
+- For sensitive matters, [contact the developer directly](https://undergroundwires.dev).
+
+## Security Report Handling
+
+Upon receipt of a security report, the following actions will be taken:
+
+- The report will be confirmed, identifying the affected components.
+- The impact and severity of the issue will be assessed.
+- Work on a fix and plan a release to address the vulnerability will be initiated.
+- The reporter will be kept updated about the progress.
+
+## Testing
+
+Regular and extensive testing is conducted to ensure robust security in the project. Information about testing practices can be found in the [Testing Documentation](./docs/tests.md).
+
+## Support
+
+For additional assistance or any unanswered questions, [submit a GitHub issue](https://github.com/undergroundwires/privacy.sexy/issues/new/choose). Security concerns are a priority, and necessary support to address them is assured.
+
+---
+
+Active contribution to the safety and security of privacy.sexy is thanked. This collaborative effort keeps the project resilient and trustworthy for all.
diff --git a/docs/tests.md b/docs/tests.md
index 4a227e34..715f6967 100644
--- a/docs/tests.md
+++ b/docs/tests.md
@@ -56,6 +56,11 @@ These checks validate various qualities like runtime execution, building process
 - Use [various tools](./../package.json) and [scripts](./../scripts).
 - Are automatically executed as [GitHub workflows](./../.github/workflows).
 
+### Security checks
+
+- [`checks.security.sast`](./../.github/workflows/checks.security.sast.yaml): Utilizes CodeQL to conduct Static Analysis Security Testing (SAST) to ensure the secure integrity of the codebase.
+- [`checks.security.dependencies`](./../.github/workflows/checks.security.dependencies.yaml): Performs audits on third-party dependencies to identify and mitigate potential vulnerabilities, safeguarding the project from exploitable weaknesses.
+
 ## Tests structure
 
 - [`package.json`](./../package.json): Defines test commands and includes tools used in tests.