2021-04-16 23:57:40 +02:00
# Security Policy
2021-07-07 18:00:51 +02:00
Coder and the code-server team want to keep the code-server project secure and safe for end-users.
2021-05-04 23:49:38 +02:00
## Tools
2021-07-07 18:00:51 +02:00
We use the following tools to help us stay on top of vulnerability mitigation.
2021-05-04 23:49:38 +02:00
- [dependabot ](https://dependabot.com/ )
2021-07-07 18:00:51 +02:00
- Submits pull requests to upgrade dependencies. We use dependabot's version
upgrades as well as security updates.
2021-05-04 23:49:38 +02:00
- code-scanning
- [CodeQL ](https://securitylab.github.com/tools/codeql/ )
2021-07-07 18:00:51 +02:00
- Semantic code analysis engine that runs on a regular schedule (see
`codeql-analysis.yml` )
2021-05-04 23:49:38 +02:00
- [trivy ](https://github.com/aquasecurity/trivy )
2021-07-07 18:00:51 +02:00
- Comprehensive vulnerability scanner that runs on PRs into the default
branch and scans both our container image and repository code (see
2022-09-19 18:56:34 +02:00
`trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml` )
2021-05-04 23:49:38 +02:00
- [`audit-ci` ](https://github.com/IBM/audit-ci )
2021-07-07 18:00:51 +02:00
- Audits npm and Yarn dependencies in CI (see `Audit for vulnerabilities` step
2022-09-19 18:56:34 +02:00
in `build.yaml` ) on PRs into the default branch and fails CI if moderate or
2021-07-07 18:00:51 +02:00
higher vulnerabilities (see the `audit.sh` script) are present.
2021-05-04 23:49:38 +02:00
2021-04-16 23:57:40 +02:00
## Supported Versions
2021-07-07 18:00:51 +02:00
Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
2021-04-16 23:57:40 +02:00
2022-02-01 17:45:19 +01:00
| Version | Supported |
| ------------------------------------------------------- | ------------------ |
| [Latest ](https://github.com/coder/code-server/releases ) | :white_check_mark: |
2021-04-16 23:57:40 +02:00
## Reporting a Vulnerability
2021-07-07 18:00:51 +02:00
To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.