If you discover a security vulnerability in this repository, please do not open a public issue. Instead, report it privately using GitHub's Private Vulnerability Reporting feature: Report a vulnerability
Fill in the details and submit. All reports are kept confidential.
For urgent matters, you may also contact byronawilliams@gmail.com.
We commit to acknowledging all vulnerability reports within 14 days of submission (typically within 5 business days).
- Acknowledgment: within 5 business days (no later than 14 days)
- Fix released: within 30 days of acknowledgment
- Emergency patch: sooner for critical severity
This project is currently pre-release. Only the latest commit on main receives
security fixes.
| Version | Status |
|---|---|
| main | Supported |
| older | Not supported |
This repository contains a security-master service for Portfolio Performance: a Python application that parses broker-supplied XML and CSV files, classifies securities via external APIs (OpenFIGI), and persists results in PostgreSQL 17.
Primary security concerns and mitigations:
- XML/broker-file parsing (supply-chain injection): All XML parsing uses
defusedxml; entity expansion and external DTD loading are disabled by default. - SQL injection: All database access uses SQLAlchemy ORM with parameterized queries; raw SQL is prohibited in production code paths.
- Supply-chain attacks via dependencies: Dependencies are pinned via
uv.lock; GitHub Actions are SHA-pinned; Renovate manages automated dependency updates. - Credential exposure: Secrets (API keys, database credentials) are loaded exclusively from environment variables. Secret scanning is active on every push via GitGuardian and GitHub secret scanning.
- Dependency CVEs:
pip-auditruns on every CI build. Accepted exceptions are documented indocs/known-vulnerabilities.mdwith a 60-day reassessment deadline. - Prompt injection (LLM tooling): Agent tooling treats external file content and GitHub issue bodies as untrusted data per OWASP LLM01 guidance.
- Static Analysis with CodeQL, Ruff, and Bandit
- Dependency Scanning with pip-audit on every CI run
- Secrets Detection with GitGuardian and GitHub secret scanning on every push
- Pinned GitHub Actions using immutable commit SHAs
- Request a CVE for issues rated Moderate or above.
- Draft and publish an advisory in the Security tab.
- Document in
docs/known-vulnerabilities.mduntil resolved. - Include remediation steps in release notes.
We follow coordinated disclosure principles. Once a fix is available, we will publish details in our Security Advisories page. If you wish to receive credit for responsibly disclosing a vulnerability, please let us know; otherwise credit will be anonymous.
Last updated: 2026-06-19