code-server/docs/SECURITY.md

# Security Policy

Coder and the code-server team want to keep the code-server project secure and safe for end-users.

## Tools

We use the following tools to help us stay on top of vulnerability mitigation.

- [dependabot](https://dependabot.com/)
  - Submits pull requests to upgrade dependencies. We use dependabot's version
    upgrades as well as security updates.
- code-scanning
  - [CodeQL](https://securitylab.github.com/tools/codeql/)
    - Semantic code analysis engine that runs on a regular schedule (see
      `codeql-analysis.yml`)
  - [trivy](https://github.com/aquasecurity/trivy)
    - Comprehensive vulnerability scanner that runs on PRs into the default
      branch and scans both our container image and repository code (see
      `trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
- `npm audit`
  - Audits NPM dependencies.

## Supported Versions

Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.

| Version                                                 | Supported          |
| ------------------------------------------------------- | ------------------ |
| [Latest](https://github.com/coder/code-server/releases) | :white_check_mark: |

## Reporting a Vulnerability

To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.
Create SECURITY.md 2021-04-17 00:57:40 +03:00			`# Security Policy`

refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`Coder and the code-server team want to keep the code-server project secure and safe for end-users.`
docs(security): add section for tools 2021-05-05 00:49:38 +03:00
			`## Tools`

refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`We use the following tools to help us stay on top of vulnerability mitigation.`
docs(security): add section for tools 2021-05-05 00:49:38 +03:00
			`- [dependabot](https://dependabot.com/)`
refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`- Submits pull requests to upgrade dependencies. We use dependabot's version`
			`upgrades as well as security updates.`
docs(security): add section for tools 2021-05-05 00:49:38 +03:00			`- code-scanning`
			`- [CodeQL](https://securitylab.github.com/tools/codeql/)`
refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`- Semantic code analysis engine that runs on a regular schedule (see`
			`codeql-analysis.yml`)
docs(security): add section for tools 2021-05-05 00:49:38 +03:00			`- [trivy](https://github.com/aquasecurity/trivy)`
refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`- Comprehensive vulnerability scanner that runs on PRs into the default`
			`branch and scans both our container image and repository code (see`
refactor(ci): fix fetch-depth and add some caching (#5563) * refactor: rename ci -> build.yaml * feat: add build.yaml * feat: add node caching to platform jobs * trigger ci 2022-09-19 19:56:34 +03:00			`trivy-scan-repo` and `trivy-scan-image` jobs in `build.yaml`)
Update Code to 1.94.2 (#7026) * Update Code to 1.94.2 * Convert from yarn to npm This is to match VS Code. We were already partially using npm for the releases so this is some nice alignment. * Update caniuse-lite This was complaining on every unit test. * Update eslint I was having a bunch of dependency conflicts and eslint seemed to be the culprit so I just removed it and set it up again, since it seems things have changed quite a bit. * Update test dependencies I was getting oom when running the unit tests...updating seems to work. * Remove package.json `scripts` property in release The new pre-install script was being included, which is dev-only. This was always the intent; did not realize jq's merge was recursive. * Remove jest and devDependencies in release as well * Update test extension dependencies This appears to be conflicting with the root dependencies. * Fix playwright exec npm does not let you run binaries like yarn does, as far as I know. * Fix import of server-main.js * Fix several tests by waiting for selectors 2024-10-18 07:31:28 +03:00			- `npm audit`
			`- Audits NPM dependencies.`
docs(security): add section for tools 2021-05-05 00:49:38 +03:00
Create SECURITY.md 2021-04-17 00:57:40 +03:00			`## Supported Versions`

refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.`
Create SECURITY.md 2021-04-17 00:57:40 +03:00
docs: Update some more links (#4806) * Update links in package.json I will try checking the docs too * docs: Update links in triage.md * docs: Update links in npm.md * docs: Update links in whatever files that have `cdr` * Replace globally, thanks @bpmct! * fix: coderer instead of coder I should've used all three toggles in the Search/Replace tab in the GItHub.dev editor. * Code Formatting 2022-02-01 19:45:19 +03:00			`\| Version \| Supported \|`
			`\| ------------------------------------------------------- \| ------------------ \|`
			`\| [Latest](https://github.com/coder/code-server/releases) \| :white_check_mark: \|`
Create SECURITY.md 2021-04-17 00:57:40 +03:00
			`## Reporting a Vulnerability`

refactor(docs): clean up and restructure 2021-07-07 19:00:51 +03:00			`To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.`