|
2 | 2 |
|
3 | 3 | ## Supported Versions |
4 | 4 |
|
5 | | -Use this section to tell people about which versions of your project are |
6 | | -currently being supported with security updates. |
| 5 | +Only the latest version of the AWS GraphQL API is actively maintained and receives security updates. |
7 | 6 |
|
8 | 7 | | Version | Supported | |
9 | 8 | | ------- | ------------------ | |
10 | | -| 5.1.x | :white_check_mark: | |
11 | | -| 5.0.x | :x: | |
12 | | -| 4.0.x | :white_check_mark: | |
13 | | -| < 4.0 | :x: | |
| 9 | +| 1.0.x | :white_check_mark: | |
| 10 | +| < 1.0 | :x: | |
| 11 | + |
| 12 | +## Security Features |
| 13 | + |
| 14 | +- 🔒 AWS IAM Authentication |
| 15 | +- 🔐 Non-root Docker container execution |
| 16 | +- 🛡️ Input validation through GraphQL schema |
| 17 | +- 📦 Dependencies regularly updated and monitored |
| 18 | +- 🔍 Automated security scanning in CI/CD |
14 | 19 |
|
15 | 20 | ## Reporting a Vulnerability |
16 | 21 |
|
17 | | -Use this section to tell people how to report a vulnerability. |
| 22 | +We take security vulnerabilities seriously. If you discover a security issue, please bring it to our attention right away: |
| 23 | + |
| 24 | +1. **DO NOT** open a public GitHub issue. |
| 25 | +2. Submit your report privately via email to [SECURITY CONTACT EMAIL] |
| 26 | +3. Include detailed steps to reproduce the vulnerability |
| 27 | +4. Expect an initial response within 48 hours |
| 28 | + |
| 29 | +## Security Best Practices |
| 30 | + |
| 31 | +When deploying this API: |
| 32 | + |
| 33 | +1. **AWS IAM** |
| 34 | + - Use the principle of least privilege |
| 35 | + - Regularly rotate AWS credentials |
| 36 | + - Use IAM roles instead of access keys when possible |
| 37 | + |
| 38 | +2. **Docker Security** |
| 39 | + - Keep base images updated |
| 40 | + - Never run containers as root |
| 41 | + - Use Docker content trust |
| 42 | + |
| 43 | +3. **API Security** |
| 44 | + - Enable AWS CloudTrail logging |
| 45 | + - Monitor API usage with CloudWatch |
| 46 | + - Implement rate limiting at the API Gateway level |
| 47 | + |
| 48 | +## Dependencies |
| 49 | + |
| 50 | +We use `pnpm` with lockfiles to ensure dependency consistency and security: |
| 51 | +- Dependencies are automatically updated via Dependabot |
| 52 | +- Security advisories are monitored |
| 53 | +- Vulnerability patches are applied promptly |
| 54 | + |
| 55 | +## Disclosure Policy |
18 | 56 |
|
19 | | -Tell them where to go, how often they can expect to get an update on a |
20 | | -reported vulnerability, what to expect if the vulnerability is accepted or |
21 | | -declined, etc. |
| 57 | +- Security issues will be patched as quickly as possible |
| 58 | +- Updates will be released as patch versions |
| 59 | +- Users will be notified through GitHub releases |
| 60 | +- Critical vulnerabilities will be communicated directly to users who have starred/watched the repository |
0 commit comments