You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.6 KiB
1.6 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| latest | ✅ |
| < 2.0 | ❌ |
Reporting a Vulnerability
If you discover a security vulnerability in this project, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainer directly or use GitHub's private vulnerability reporting
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly.
Security Measures
This project implements several security measures:
- SBOM (Software Bill of Materials): Every Docker image includes a complete list of dependencies
- Provenance Attestation: Build provenance is attached to images to verify where and how they were built
- Image Signing: Images are signed using Sigstore Cosign for authenticity verification
- Vulnerability Scanning: Images are scanned with Trivy for known vulnerabilities
Verifying Image Signatures
You can verify the signature of our Docker images using cosign:
cosign verify graystorm/amcrest2mqtt:latest \
--certificate-identity-regexp="https://github.com/weirdtangent/amcrest2mqtt" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"