-
Notifications
You must be signed in to change notification settings - Fork 3
98 ‐ Security
VoucherVault is developed with security in mind:
- Configuration and deployment management
- Version control via git (here GitHub)
- Adhering to Conventional Commits specification
- Automated changelogs, release notes and Docker image builds via CI
- Automated SAST scanning of Python code by Bandit via CI
- Secure initial admin user provisioning with an auto-generated password
- Proper implementation of authentication checks
- Proper implementation of authorization checks
- Proper implementation of session management
- Input and output validation tests + sanitizations
- Proper error handling
Additionally, the Django framework does a great job at preventing known OWASP Top 10 issues such as Cross-Site Scripting (XSS), SQL Injections (SQLi), Cross-Site Request Forgery (CSRF) and many more.
May read here.
Moreover, a CI workflow task is executed that runs the Bandit SAST scanner against VoucherVault's Python code. If any security issue is identified, the Docker image build process won't be triggered at all.
This way, you should never receive a release or new Docker image with publicly known insecure Python code.
Nonetheless, there's is no 100% security.
If you find a security issue in VoucherVault, please contact us.
Caution
Please refrain from opening public GitHub issues with security details.
Just create a new issue with no details to get in touch.