diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f816cc8..6319323 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -12,7 +12,7 @@ on: workflow_dispatch: jobs: - zap_scan: # https://github.com/zaproxy/action-full-scan + zap_scan: runs-on: ubuntu-latest name: Scan Production Site steps: @@ -21,15 +21,25 @@ jobs: run: | echo "NOW=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" - - name: Checkout Main Branch for .zap/rules.tsv + - name: Checkout Repo for .zap/rules.tsv uses: actions/checkout@v4 with: - ref: 'main' + ref: main - - name: ZAP Scan + - name: ZAP Full Scan + # https://github.com/zaproxy/action-full-scan uses: zaproxy/action-full-scan@v0.7.0 with: target: 'https://chitchatter.im/' rules_file_name: '.zap/rules.tsv' issue_title: 'Security Report - ${{ steps.set-now.outputs.NOW }}' artifact_name: 'zap_scan_${{ steps.set-now.outputs.NOW }}' + + - name: Add Security Label to Security Report - ${{ steps.set-now.outputs.NOW }} + # https://github.com/actions-ecosystem/action-add-labels + uses: actions-ecosystem/action-add-labels@v1 + if: ${{ startsWith('Security Report - ${{ steps.set-now.outputs.NOW }}', '/add-labels')}} + with: + labels: | + security + reports diff --git a/.zap/rules.tsv b/.zap/rules.tsv index a4406f6..28750bc 100644 --- a/.zap/rules.tsv +++ b/.zap/rules.tsv @@ -1,8 +1,8 @@ -10020 IGNORE (Missing Anti-clickjacking Header) -10021 IGNORE (X-Content-Type-Options Header Missing) -10035 IGNORE (Strict-Transport-Security Header Not Set) -10038 IGNORE (Content Security Policy (CSP) Header Not Set) -10063 IGNORE (Permissions Policy Header Not Set) -10096 IGNORE (Timestamp Disclosure - Unix) -10098 IGNORE (Cross-Domain Misconfiguration) -40040 IGNORE (CORS Misconfiguration) +10020 IGNORE (Missing Anti-clickjacking Header) +10021 IGNORE (X-Content-Type-Options Header Missing) +10035 IGNORE (Strict-Transport-Security Header Not Set) +10038 IGNORE (Content Security Policy (CSP) Header Not Set) +10063 IGNORE (Permissions Policy Header Not Set) +10096 IGNORE (Timestamp Disclosure - Unix) +10098 IGNORE (Cross-Domain Misconfiguration) +40040 IGNORE (CORS Misconfiguration) \ No newline at end of file diff --git a/README.md b/README.md index 21ae615..39e5c1f 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ Open https://chitchatter.im/ and join a room to start chatting with anyone else ## Why another chat app? -There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will. +There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will. Chitchatter designs around these risks with a [web meshe architecture](https://dev.to/jeremyckahn/taking-the-power-back-with-web-meshes-omg). There is no central service operator that stores or potentially mishandles communication data. Some services are required to establish an initial connection between peers, but otherwise the app uses direct peer-to-peer communication for everything. Any services that are used by Chitchatter have no association with the project and are publicly available for all to use. @@ -231,6 +231,10 @@ Chitchatter works on iOS Safari, but browser-level bugs often prevent peers from Per [#36](https://github.com/jeremyckahn/chitchatter/issues/36), check your `about:config` settings and ensure that `media.peerconnection.enabled` is **enabled**. +##### Security + +Chitchatter undergoes [weekly security audits](https://github.com/jeremyckahn/chitchatter/blob/develop/.github/workflows/security.yml) to identify and address potential vulnerabilities. Reports from all audits can be found in [the **Issues** section filtered by the `security` label](https://github.com/jeremyckahn/chitchatter/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity). + ### Contributors