From bd8a344c407c04b776a1c3560d2276d500c7b252 Mon Sep 17 00:00:00 2001 From: Dave Black <656118+udlose@users.noreply.github.com> Date: Fri, 23 Jan 2026 23:06:09 -0600 Subject: [PATCH 1/2] #326 - Enhance Scorecard workflow permissions and badges Updated scorecard.yml to include recommended read permissions for private repos and set repo_token to use a fine-grained PAT for branch protection compatibility. Added OpenSSF Scorecard and Best Practices badges to README for improved security visibility. Reformatted contributor badge for clarity. --- .github/workflows/scorecard.yml | 11 ++++++++--- README.md | 5 ++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4f4ac8aa..ca7aed27 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,8 +31,12 @@ jobs: # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read + # Recommended reads for private repos to avoid GraphQL/SAST gaps + contents: read + issues: read + pull-requests: read + checks: read + actions: read steps: - name: Harden the runner (Audit all outbound calls) @@ -54,7 +58,8 @@ jobs: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} + # Since we use Classic GitHub Branch Protection Rules, we need to use a fine-grained PAT. + repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers diff --git a/README.md b/README.md index 67cc1734..8bad7862 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,12 @@ [![Release](https://img.shields.io/github/v/release/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/releases/latest) [![Build and Release](https://github.com/udlose/MermaidPad/actions/workflows/build-and-release.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/build-and-release.yml) [![CodeQL](https://github.com/udlose/MermaidPad/actions/workflows/codeql-main.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/codeql-main.yml) -[![OSSF Scorecard supply-chain security](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml)[![Contributors](https://img.shields.io/github/contributors/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/graphs/contributors) +[![OSSF Scorecard supply-chain security](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/udlose/MermaidPad/badge)](https://scorecard.dev/viewer/?uri=github.com/udlose/MermaidPad) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11823/badge)](https://www.bestpractices.dev/projects/11823) [![Stars](https://img.shields.io/github/stars/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/stargazers) [![Forks](https://img.shields.io/github/forks/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/network/members) +[![Contributors](https://img.shields.io/github/contributors/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/graphs/contributors) [![Issues](https://img.shields.io/github/issues/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/issues) [![Issues Closed](https://img.shields.io/github/issues-closed-raw/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/issues?q=is%3Aissue+is%3Aclosed) [![Top Language](https://img.shields.io/github/languages/top/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad) From e34cc112a23bb8de0ebd013934c9e8929840c532 Mon Sep 17 00:00:00 2001 From: Dave Black <656118+udlose@users.noreply.github.com> Date: Fri, 23 Jan 2026 23:08:01 -0600 Subject: [PATCH 2/2] #326 - Add security policy and WakaTime badge to README Added a WakaTime badge to the README for coding stats. Introduced a new Security section in the README with responsible disclosure instructions, and added SECURITY.md detailing supported versions, vulnerability reporting, and disclosure policy. --- README.md | 9 +++++++++ SECURITY.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 8bad7862..a56a74e6 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ [![Top Language](https://img.shields.io/github/languages/top/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad) [![Last Commit](https://img.shields.io/github/last-commit/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/commits/main) [![License](https://img.shields.io/github/license/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/blob/main/LICENSE.TXT) +[![wakatime](https://wakatime.com/badge/github/udlose/MermaidPad.svg)](https://wakatime.com/badge/github/udlose/MermaidPad) --- @@ -1088,6 +1089,14 @@ Also, please review our [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) to understand c --- +## Security + +If you discover a security vulnerability in MermaidPad, please follow our [Security Policy](SECURITY.md) for responsible disclosure. **Do not** open public issues for security vulnerabilities. + +For more details, see [SECURITY.md](SECURITY.md). + +--- + ## License This project is licensed under the [MIT License](https://github.com/udlose/MermaidPad/blob/main/LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..2c6c455a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,47 @@ +# Security Policy + +## Supported Versions + +This project is maintained on a best-effort basis. + +- Supported: The latest release and the `main` branch. +- Unsupported: Older releases may not receive security fixes. + +If you are unsure whether your version is supported, please report the issue anyway. + +## Reporting a Vulnerability + +Please **do not** open a public GitHub issue for security vulnerabilities. + +Instead, use GitHub **Private Vulnerability Reporting**: + +1. Go to this repository’s **Security** tab. +2. Select **Advisories**. +3. Click **Report a vulnerability** and fill out the form. + +You will typically receive an initial response within **7 days**. + +## What to Include + +To help triage quickly, please include: + +- Affected version(s) and OS (Windows/macOS/Linux). +- Steps to reproduce and/or proof-of-concept code. +- Impact assessment (what an attacker can do). +- Any suggested fix or mitigation (if you have one). + +## Disclosure Policy + +This project follows responsible disclosure: + +- Please allow reasonable time to investigate and patch before public disclosure. +- If the issue is confirmed, a fix will be developed and released as soon as practical. +- Once a fix is available, a public advisory/release notes entry may be published describing the issue and mitigation. + +## Security Updates + +Security fixes will be released as normal GitHub Releases and documented in release notes when possible. + +## Non-Security Bugs + +For non-security bugs and feature requests, please open a standard GitHub issue.