forked from Shiloh/remnantchat
Add Security Label to Security Report (#199)
This commit is contained in:
parent
3a97ee2cbf
commit
a3c7e93cdb
18
.github/workflows/security.yml
vendored
18
.github/workflows/security.yml
vendored
@ -12,7 +12,7 @@ on:
|
|||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
zap_scan: # https://github.com/zaproxy/action-full-scan
|
zap_scan:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
name: Scan Production Site
|
name: Scan Production Site
|
||||||
steps:
|
steps:
|
||||||
@ -21,15 +21,25 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
echo "NOW=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
|
echo "NOW=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
- name: Checkout Main Branch for .zap/rules.tsv
|
- name: Checkout Repo for .zap/rules.tsv
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
ref: 'main'
|
ref: main
|
||||||
|
|
||||||
- name: ZAP Scan
|
- name: ZAP Full Scan
|
||||||
|
# https://github.com/zaproxy/action-full-scan
|
||||||
uses: zaproxy/action-full-scan@v0.7.0
|
uses: zaproxy/action-full-scan@v0.7.0
|
||||||
with:
|
with:
|
||||||
target: 'https://chitchatter.im/'
|
target: 'https://chitchatter.im/'
|
||||||
rules_file_name: '.zap/rules.tsv'
|
rules_file_name: '.zap/rules.tsv'
|
||||||
issue_title: 'Security Report - ${{ steps.set-now.outputs.NOW }}'
|
issue_title: 'Security Report - ${{ steps.set-now.outputs.NOW }}'
|
||||||
artifact_name: 'zap_scan_${{ steps.set-now.outputs.NOW }}'
|
artifact_name: 'zap_scan_${{ steps.set-now.outputs.NOW }}'
|
||||||
|
|
||||||
|
- name: Add Security Label to Security Report - ${{ steps.set-now.outputs.NOW }}
|
||||||
|
# https://github.com/actions-ecosystem/action-add-labels
|
||||||
|
uses: actions-ecosystem/action-add-labels@v1
|
||||||
|
if: ${{ startsWith('Security Report - ${{ steps.set-now.outputs.NOW }}', '/add-labels')}}
|
||||||
|
with:
|
||||||
|
labels: |
|
||||||
|
security
|
||||||
|
reports
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
10020 IGNORE (Missing Anti-clickjacking Header)
|
10020 IGNORE (Missing Anti-clickjacking Header)
|
||||||
10021 IGNORE (X-Content-Type-Options Header Missing)
|
10021 IGNORE (X-Content-Type-Options Header Missing)
|
||||||
10035 IGNORE (Strict-Transport-Security Header Not Set)
|
10035 IGNORE (Strict-Transport-Security Header Not Set)
|
||||||
10038 IGNORE (Content Security Policy (CSP) Header Not Set)
|
10038 IGNORE (Content Security Policy (CSP) Header Not Set)
|
||||||
10063 IGNORE (Permissions Policy Header Not Set)
|
10063 IGNORE (Permissions Policy Header Not Set)
|
||||||
10096 IGNORE (Timestamp Disclosure - Unix)
|
10096 IGNORE (Timestamp Disclosure - Unix)
|
||||||
10098 IGNORE (Cross-Domain Misconfiguration)
|
10098 IGNORE (Cross-Domain Misconfiguration)
|
||||||
40040 IGNORE (CORS Misconfiguration)
|
40040 IGNORE (CORS Misconfiguration)
|
|
@ -52,7 +52,7 @@ Open https://chitchatter.im/ and join a room to start chatting with anyone else
|
|||||||
|
|
||||||
## Why another chat app?
|
## Why another chat app?
|
||||||
|
|
||||||
There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will.
|
There is no shortage of user-friendly chat apps available, but they rely on a central service to facilitate communication. It is difficult to trust these central services, as commercial interests and [government pressure](https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion) can compel service operators to work against the best interest of the users. Even when user data is handled in good faith by service operators, the possibility remains that [encrypted data held at rest may be decrypted](https://www.cbsnews.com/news/fbi-may-have-found-way-to-unlock-san-bernardino-shooters-iphone/) against the user's will.
|
||||||
|
|
||||||
Chitchatter designs around these risks with a [web meshe architecture](https://dev.to/jeremyckahn/taking-the-power-back-with-web-meshes-omg). There is no central service operator that stores or potentially mishandles communication data. Some services are required to establish an initial connection between peers, but otherwise the app uses direct peer-to-peer communication for everything. Any services that are used by Chitchatter have no association with the project and are publicly available for all to use.
|
Chitchatter designs around these risks with a [web meshe architecture](https://dev.to/jeremyckahn/taking-the-power-back-with-web-meshes-omg). There is no central service operator that stores or potentially mishandles communication data. Some services are required to establish an initial connection between peers, but otherwise the app uses direct peer-to-peer communication for everything. Any services that are used by Chitchatter have no association with the project and are publicly available for all to use.
|
||||||
|
|
||||||
@ -231,6 +231,10 @@ Chitchatter works on iOS Safari, but browser-level bugs often prevent peers from
|
|||||||
|
|
||||||
Per [#36](https://github.com/jeremyckahn/chitchatter/issues/36), check your `about:config` settings and ensure that `media.peerconnection.enabled` is **enabled**.
|
Per [#36](https://github.com/jeremyckahn/chitchatter/issues/36), check your `about:config` settings and ensure that `media.peerconnection.enabled` is **enabled**.
|
||||||
|
|
||||||
|
##### Security
|
||||||
|
|
||||||
|
Chitchatter undergoes [weekly security audits](https://github.com/jeremyckahn/chitchatter/blob/develop/.github/workflows/security.yml) to identify and address potential vulnerabilities. Reports from all audits can be found in [the **Issues** section filtered by the `security` label](https://github.com/jeremyckahn/chitchatter/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity).
|
||||||
|
|
||||||
### Contributors
|
### Contributors
|
||||||
|
|
||||||
<p align="center">
|
<p align="center">
|
||||||
|
Loading…
Reference in New Issue
Block a user