Security Policy

Reporting Security Issues

If you discover a security vulnerability in OE Python Template Example, please report it here.

We take all security reports seriously. Upon receiving a security report, we will:

  1. Confirm receipt of the vulnerability report

  2. Investigate the issue

  3. Work on a fix

  4. Release a security update

Supported Versions

We currently provide security updates for the latest minor version.

Automated Security Analysis

OE Python Template Example employs several automated tools to continuously monitor and improve security:

1. Vulnerability Scanning

  1. `GitHub Dependabot <https://github.com/dependabot>`_: Monitors dependencies for vulnerabilities pre and post release on GitHub. Dependendabot alerts published.

  2. `Renovate <https://www.mend.io/renovate/>`_: Monitors dependencies for vulnerabilities pre and post release on GitHub. Dependency Dashboard published.

  3. `pip-audit <https://pypi.org/project/pip-audit/>`_: Pre commit to GitHub scans Python dependencies for known vulnerabilities using data from the Python Advisory Database. vulnerabilities.json published per release.

  4. `trivy <https://trivy.dev/latest/>`_: Pre commit to GitHub scans Python dependencies for known vulnerabilities using data from GitHub Advisory Database and OSV.dev. sbom.spdx published per release.

2. License Compliance Checks and Software Bill of Materials (SBOM)

a. `pip-licenses <https://pypi.org/project/pip-licenses/>`_: Inspects and matches the licenses of all dependencies with allow list to ensure compliance with licensing requirements and avoid using components with problematic licenses. licenses.csv, licenses.json and licenses_grouped.json published per release. a. `cyclonedx-py <https://github.com/CycloneDX/cyclonedx-python>`_: Generates Software Bill of Materials (SBOM) in CycloneDX format, listing all components and dependencies used in the project. sbom.json published per release. d. `trivy <https://trivy.dev/latest/>`_: Generates Software Bill of Materials (SBOM) in SPDX format, listing all components and dependencies used in the project. sbom.spdx published per release.

3. Static Code Analysis

  1. `GitHub CodeQL <https://codeql.github.com/>`_: Analyzes code for common vulnerabilities and coding errors using GitHub’s semantic code analysis engine. Code scanning results published.

  2. `SonarQube <https://www.sonarsource.com/products/sonarcloud/>`_: Performs comprehensive static code analysis to detect code quality issues, security vulnerabilities, and bugs. Security hotspots published.

4. Secret Detection

  1. `GitHub Secret scanning <https://docs.github.com/en/code-security/secret-scanning/introduction/about-secret-scanning>`_: Automatically scans for secrets in the codebase and alerts if any are found. Secret scanning alerts published.

  2. `Yelp/detect-secrets <https://github.com/Yelp/detect-secrets>`_: Pre-commit hook and automated scanning to prevent accidental inclusion of secrets or sensitive information in commits. Pre-Commit hook published.

Security Best Practices

We follow these security best practices:

  1. Regular dependency updates

  2. Comprehensive test coverage

  3. Code review process for changes by external contributors

  4. Automated CI/CD pipelines including security checks

  5. Adherence to Python security best practices

We promote security awareness among contributors and users:

  1. We indicate security as a priority in our code style guide, to be followed by human and agentic contributors as mandatory

  2. We publish our security posture in SECURITY.md (this document), encouraring users to report vulnerabilities.

Security Compliance

For questions about security compliance or for more details about our security practices, please contact helmuthva@gmail.com.