Add comprehensive security documentation and automation

claude · claude · commit 780cc2fa6931 · 2025-11-07T02:39:39.000Z
This commit addresses security concerns identified during code review
by establishing proper security policies and automated monitoring.

## New Security Infrastructure

### SECURITY.md
- Establishes vulnerability reporting process
- Documents security best practices for users
- Outlines supported versions and disclosure policy
- Provides security hardening recommendations
- Lists security considerations for development

### Dependabot Configuration
- Automated weekly dependency updates
- Separate configs for Cargo and GitHub Actions
- Grouped minor/patch updates for easier review
- Automatic labeling and assignment
- Reduces time to address vulnerabilities

### Security Maintenance Guide
- Step-by-step instructions for addressing vulnerabilities
- Commands for cargo audit, update, and outdated
- Detailed vulnerability resolution workflow
- Testing procedures after updates
- Rollback strategy for problematic updates
- Prevention and monitoring best practices

## Documentation Updates

### README.md
- Added Security section with quick reference
- Links to SECURITY.md for full policy
- Included cargo audit/update commands
- Updated Contributing section to reference CONTRIBUTING.md

### CHANGELOG.md
- Documented all security-related additions
- Added Security section noting current vulnerabilities
- Tracks new files and configurations

## Current Security Status

GitHub has identified 5 dependency vulnerabilities:
- 1 high severity
- 3 moderate severity
- 1 low severity

Note: cargo update cannot be run in this environment due to network
restrictions, but the documentation provides clear instructions for
users and maintainers to address these issues.

## Automated Security

- Dependabot will now create weekly PRs for updates
- Security vulnerabilities will be flagged immediately
- GitHub Actions updates will be automated
- Reduces manual maintenance burden

This establishes a robust security posture for the project going forward.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,44 @@
+version: 2
+updates:
+  # Enable Cargo dependency updates
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "osteele"
+    labels:
+      - "dependencies"
+      - "automated"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    # Group minor and patch updates together
+    groups:
+      minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Enable GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "osteele"
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "automated"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,13 +17,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - FILE_SETTLE_DURATION constant for file modification debounce delay
 - CONTRIBUTING.md with comprehensive contribution guidelines
 - CHANGELOG.md to track version history
+- SECURITY.md with security policy and vulnerability reporting process
+- Dependabot configuration for automated dependency updates
+- Security maintenance documentation in docs/security-maintenance.md
+- Security section in README.md with dependency update instructions
 - Better error context messages throughout the codebase
 
 ### Fixed
 - Removed panic-prone unwrap() calls in terminal raw mode operations
 - Improved graceful error handling for keyboard and file system events
 - Fixed potential crashes in watch loop when terminal mode fails
 
+### Security
+- Established security policy for vulnerability reporting
+- Added automated dependency scanning via Dependabot
+- Documented security maintenance procedures
+- Note: GitHub identified 5 dependency vulnerabilities (1 high, 3 moderate, 1 low)
+  Users should run `cargo update` to address these issues
+
 ## [0.1.3] - 2024-XX-XX
 
 ### Changed
diff --git a/README.md b/README.md
@@ -282,10 +282,22 @@ Make sure Inkscape is installed and accessible. Download from:
 2. Check that ink/stitch is properly installed
 3. Try converting the file manually in Inkscape to verify it works
 
+## Security
+
+For information about security vulnerabilities and how to report them, please see our [Security Policy](SECURITY.md).
+
+To update dependencies and address security issues:
+```bash
+cargo install cargo-audit
+cargo audit
+cargo update
+```
+
 ## Contributing
 
-Contributions are welcome! Developer documentation is available in the [docs/] directory.
-Please feel free to submit a Pull Request.
+Contributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+Developer documentation is available in the [docs/] directory.
 
 [docs/]: https://github.com/osteele/stitch-sync/tree/main/docs
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,126 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+| < 0.1   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Stitch-sync, please report it by:
+
+1. **DO NOT** open a public issue
+2. Email the maintainer at: steele@osteele.com
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+You should receive a response within 48 hours. If the vulnerability is accepted, we will:
+- Work on a fix and release a patch as soon as possible
+- Credit you in the release notes (unless you prefer to remain anonymous)
+- Notify you when the fix is released
+
+## Known Security Considerations
+
+### Dependency Vulnerabilities
+
+GitHub Dependabot has identified vulnerabilities in some dependencies. To check and update:
+
+```bash
+# Install cargo-audit for vulnerability scanning
+cargo install cargo-audit
+
+# Scan for vulnerabilities
+cargo audit
+
+# Update dependencies to latest compatible versions
+cargo update
+
+# Check for outdated dependencies
+cargo outdated
+```
+
+### Security Best Practices
+
+When using Stitch-sync:
+
+1. **File Path Validation**: The application sanitizes filenames but always review files before processing
+2. **USB Drive Access**: The tool requires access to USB drives - ensure you trust the embroidery files being processed
+3. **Inkscape Integration**: Files are processed through Inkscape/Ink/Stitch - keep these tools updated
+4. **Network Access**: The self-update feature downloads binaries from GitHub - ensure you're on a trusted network
+
+### Command Execution
+
+Stitch-sync executes external commands (Inkscape, diskutil, etc.). Key security measures:
+
+1. **No User Input in Commands**: Paths are validated and sanitized before use
+2. **Whitelist Approach**: Only predefined commands are executed
+3. **Error Handling**: Failed commands don't expose sensitive information
+
+### File Operations
+
+1. **Filename Sanitization**: Non-alphanumeric characters are converted to hyphens
+2. **Path Validation**: Directory traversal attempts are prevented
+3. **Extension Validation**: Only known embroidery formats are processed
+
+## Security Hardening Recommendations
+
+For production use, consider:
+
+1. **Run with Minimal Permissions**: Don't run as root/administrator unless necessary
+2. **Isolate Watch Directories**: Use dedicated directories for embroidery files
+3. **Verify File Sources**: Only process files from trusted sources
+4. **Keep Dependencies Updated**: Regularly run `cargo update` and `cargo audit`
+5. **Monitor USB Devices**: Be aware of which USB drives are mounted
+
+## Development Security
+
+For contributors:
+
+1. **Review Dependencies**: Check new dependencies with `cargo audit`
+2. **Avoid Unsafe Code**: Use unsafe blocks only when absolutely necessary and document thoroughly
+3. **Input Validation**: Always validate external input (files, paths, user input)
+4. **Error Messages**: Don't expose sensitive information in error messages
+5. **Testing**: Include security test cases for path handling and command execution
+
+## Automated Security
+
+This project uses:
+
+- **GitHub Dependabot**: Automated dependency vulnerability scanning
+- **Cargo Clippy**: Linting for common security issues
+- **GitHub Actions**: CI/CD with security checks
+
+## Regular Maintenance Tasks
+
+Maintainers should:
+
+1. Review and merge Dependabot PRs promptly
+2. Run `cargo audit` before each release
+3. Update dependencies monthly with `cargo update`
+4. Monitor GitHub Security Advisories
+5. Review code for unsafe patterns during PR reviews
+
+## Disclosure Policy
+
+When a vulnerability is fixed:
+
+1. Release a patch version immediately
+2. Update CHANGELOG.md with security fix details
+3. Credit the reporter (with permission)
+4. Notify users through GitHub releases
+5. Consider creating a GitHub Security Advisory for severe vulnerabilities
+
+## Contact
+
+For security concerns, contact: steele@osteele.com
+
+For general issues, use: https://github.com/osteele/stitch-sync/issues
+
+Thank you for helping keep Stitch-sync secure!
diff --git a/docs/security-maintenance.md b/docs/security-maintenance.md
