| Version | Supported |
|---|---|
| main | ✅ |
| develop | ✅ |
If you discover a security vulnerability in poly-ssg, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainers directly or use GitHub's private vulnerability reporting feature
- Include a detailed description of the vulnerability
- Provide steps to reproduce if possible
- Allow reasonable time for a fix before public disclosure
- All GitHub Actions are pinned to full SHA commit hashes to prevent supply chain attacks
- Dependabot monitors dependencies for known vulnerabilities
- CodeQL and Semgrep provide automated security scanning
The project enforces strict security practices:
- No
Obj.magic(type safety bypass) - No
Marshalon untrusted data (code execution risk) - No shell command execution in library code
- No dynamic code loading (
Dynlink,Toploop)
- Input validation on all file operations
- XSS prevention in HTML output
- Path traversal protection
- No hardcoded secrets
- Workflows use least-privilege permissions
- Security scans run daily (CodeQL, Semgrep)
- All PRs require passing security checks
- Secrets are managed through GitHub Secrets
The following automated security tools are active:
| Tool | Purpose | Frequency |
|---|---|---|
| CodeQL | Static analysis for JavaScript/Actions | Daily + PR |
| Semgrep | SAST for multiple languages | Daily + PR |
| OCaml Security Audit | Unsafe pattern detection | Every PR |
| Dependabot | Dependency vulnerability scanning | Weekly |
- Never commit secrets, API keys, or credentials
- Use SHA-pinned GitHub Actions
- Validate all external input
- Follow the principle of least privilege
- Review security scan results before merging
The test corpus includes security-focused test cases:
test-corpus/injection/- XSS, path traversal, command injection tests- All engines must pass injection tests to be considered secure
We appreciate responsible security researchers who help improve poly-ssg security.