This document describes the security policy for SpectraFit.
Our current policy is to support the latest version of SpectraFit and the last two minor releases.
Currently, the following security checks are implemented in the CI pipelines or as third-party services:
| Tool | Checks | Implemented as |
|---|---|---|
| GitHub's CodeQL | Used to check for potential vulnerabilities in the code. | 🛠️ |
| Synk | Used to check for known vulnerabilities in the dependencies. | 🤖 |
| SonarCloud | Used to find code quality issues and potential vulnerabilities. | 🤖 |
| GitHub's Dependabot | Used to check for outdated dependencies. | 🤖 |
| Pre-commit | Used to check for code quality and formatting issues. | 🛠️ 🤖 |
| Codecov | Used to check for coverage rate to ensure that the code is completely tested. | 🛠️ 🤖 |
Additionally, branch protection rules are used to ensure that the code is reviewed before it is merged into the main branch.
If you find a vulnerability, please report it by opening an issue here.
Please use the vulnerability template and provide as much information as
possible.
Current Python vulnerabilities can be found at the 🔗GitHub's Advisory Database. See also: 🔗GitHub's Security Lab.