Archived

This repository has been archived on 2024-09-09. You can view files and clone it, but cannot push or open issues or pull requests.

Asher a9eb923790

Remove unused audit-ci dependency

There is a `yarn ci` script which was using audit-ci but this does not
appear to be called anywhere.

The security worflow uses `yarn audit` and `npm audit` which seem fine
enough anyway.

2024-07-10 13:23:24 -08:00

1.5 KiB

Raw Blame History

Security Policy

Coder and the code-server team want to keep the code-server project secure and safe for end-users.

Tools

We use the following tools to help us stay on top of vulnerability mitigation.

dependabot
- Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
code-scanning
- CodeQL
  - Semantic code analysis engine that runs on a regular schedule (see codeql-analysis.yml)
- trivy
  - Comprehensive vulnerability scanner that runs on PRs into the default branch and scans both our container image and repository code (see trivy-scan-repo and trivy-scan-image jobs in build.yaml)
yarn audit and npm audit
- Audits Yarn/NPM dependencies.

Supported Versions

Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.

Version	Supported
Latest	✅

Reporting a Vulnerability

To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.

1.5 KiB Raw Blame History

Security Policy

Tools

Supported Versions

Reporting a Vulnerability

1.5 KiB

Raw Blame History