docs: Add security.md

ci: update workflows to not trigger on bot commits or PRs chore: move requirements.txt to api
Nicconike · Jun 23, 2024 · cb5d35b · cb5d35b
1 parent 3c3fe46
commit cb5d35b
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 7 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,85 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Thank you for improving the security of the project. I take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you find.
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to me by following the steps below:
+
+1. **Email**: Send an email to [38905025+Nicconike@users.noreply.github.com] with the subject "Security Vulnerability Report: Steam-Stats".
+2. **Discord**: If you do not prefer the email method, then please reach out to me via [Discord](https://discord.com/) @nicconike, @Nicco#1741 or the [Discord Server](https://discord.gg/UbetHfu)
+3. **Open PGP Key**: If possible, encrypt your message with my GPG key. You can download the GPG key from [here](https://keyserver.ubuntu.com/).
+4. **Information to Include**:
+    - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
+    - Full paths of source file(s) related to the manifestation of the issue
+    - The location of the affected source code (tag/branch/commit or direct URL)
+    - Any special configuration required to reproduce the issue
+    - Step-by-step instructions to reproduce the issue
+    - Proof-of-concept or exploit code (if possible)
+    - Impact of the issue, including how an attacker might exploit the issue
+
+### How to Use GPG (Open PGP) Key
+
+1. **Download and install GPG software**:
+	- **Windows**: [Gpg4win](https://gpg4win.org/)
+	- **macOS**: [GPGTools](https://gpgtools.org/)
+	- **Linux**: GnuPG (often pre-installed)
+
+2. **Download the public key from the Key Server**:
+	1. Open the [OpenPGP server](https://keyserver.ubuntu.com/) website in your browser
+	2. Search the key using this fingerprint - `333675FF949C2CDDB86DBD64C82BDEDDEFDE338B`
+	3. Now click on the public key which will download the pub key file `333675ff949c2cddb86dbd64c82bdeddefde338b.asc`
+		```sh
+		rsa4096/333675ff949c2cddb86dbd64c82bdeddefde338b
+		```
+	4. Please rename the file to something more simpler like `public_key.asc`
+
+3. **Import the public key**:
+	- After downloading the public key file (`public_key.asc`), import it into your GPG keyring using the following command:
+    	```sh
+     	gpg --import public_key.asc
+     	```
+
+4. **Verify the imported key**:
+	- List the keys in your keyring to verify that the public key has been imported correctly:
+     	```sh
+     	gpg --list-keys
+     	```
+
+5. **Encrypt your message**:
+	- Create a text file containing your vulnerability report (e.g., `vulnerability_report.txt`).
+	- Encrypt the file using the public key:
+    	```sh
+     	gpg --encrypt --armor --recipient your.email@example.com vulnerability_report.txt
+     	```
+	- This will create an encrypted file (e.g., `vulnerability_report.txt.asc`).
+
+6. **Send the encrypted message**:
+	- Share the encrypted file (`vulnerability_report.txt.asc`) to me via Discord [@nicconike] or the [Discord Server](https://discord.gg/UbetHfu)
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via discord to ensure I received your original message.
+
+## Preferred Languages
+
+I would prefer all the communications to be in English.
+
+## Policy
+
+This Project follows the principle of [Coordinated Vulnerability Disclosure](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities).
+
+Please see the docs of how to [Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| > 0.1.3 | :white_check_mark: |
+| < 0.1.2 | :x:                |
+
+## Additional Information
+
+For more information about our security practices, please visit our [Security Documentation](link-to-your-security-docs).
+
+Thank you for helping to keep our project secure!
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,11 +3,11 @@
 version: 2
 updates:
     - package-ecosystem: "pip"
-      directory: "requirements.txt"
+      directory: "/api"
       schedule:
           interval: "weekly"
       commit-message:
-          prefix: "chore"
+          prefix: ":dependabot: chore"
           include: "scope"
       labels:
           - dependencies
@@ -27,7 +27,7 @@ updates:
       schedule:
           interval: "weekly"
       commit-message:
-          prefix: "ci"
+          prefix: ":dependabot: ci"
       labels:
           - dependencies
           - dependabot
@@ -45,7 +45,7 @@ updates:
       schedule:
           interval: "weekly"
       commit-message:
-          prefix: "build"
+          prefix: ":dependabot: build"
           include: "scope"
       labels:
           - dependencies

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,7 +10,8 @@ on:
         branches: [ "master" ]
 
 jobs:
-    codeql-analysis:
+    codeql:
+        if: github.actor != 'dependabot[bot]' && github.actor != 'protected-auto-commits[bot]'
         name: Analyze (${{ matrix.language }})
         runs-on: ubuntu-latest
         permissions:
@@ -53,7 +54,7 @@ jobs:
     pylint:
         name: Pylint
         runs-on: ubuntu-latest
-        needs: codeql-analysis
+        needs: codeql
         steps:
           - name: Checkout Code
             uses: actions/checkout@v4
@@ -87,6 +88,7 @@ jobs:
 
     sast_scan: # Static Application Security Testing
         name: Run Bandit Scan
+        needs: pylint
         runs-on: ubuntu-latest
 
         steps:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,9 +14,9 @@ on:
 
 jobs:
     release:
+        if: github.actor != 'dependabot[bot]' && github.actor != 'protected-auto-commits[bot]' && github.repository == 'nicconike/steam-stats'
         runs-on: ubuntu-latest
         concurrency: release
-        if: github.repository == 'nicconike/steam-stats'
         permissions:
             id-token: write
             contents: write

diff --git a/.github/workflows/steam-stats.yml b/.github/workflows/steam-stats.yml
@@ -17,6 +17,7 @@ on:
 
 jobs:
     update-readme:
+        if: github.actor != 'dependabot[bot]' && github.actor != 'protected-auto-commits[bot]'
         name: Steam Stats
         runs-on: ubuntu-latest
         container:

diff --git a/requirements.txt → api/requirements.txt b/requirements.txt → api/requirements.txt