At NFTT-GitHub-Workflows, security is not an afterthought—it’s a fundamental design principle. We implement defense-in-depth strategies to protect your workflows, data, and API credentials.
We take security seriously and appreciate your help in keeping NFTT-GitHub-Workflows secure. If you discover a security vulnerability, please follow our responsible disclosure process.
⚠️ IMPORTANT: Do NOT create public issues for security vulnerabilities
Please provide as much information as possible:
## Vulnerability Details
- **Type**: [e.g., Code Injection, Information Disclosure]
- **Severity**: [Critical/High/Medium/Low]
- **Component**: [Affected workflow/file]
## Steps to Reproduce
1. [First step]
2. [Second step]
3. [...]
## Impact Assessment
- Who is affected?
- What data/systems are at risk?
- Potential damage if exploited?
## Suggested Fix
[If you have recommendations]
## Additional Context
[Screenshots, logs, etc.]
| Severity | Initial Response | Fix Timeline |
|---|---|---|
| 🔴 Critical | < 4 hours | < 24 hours |
| 🟠 High | < 24 hours | < 7 days |
| 🟡 Medium | < 72 hours | < 30 days |
| 🟢 Low | < 1 week | Next release |
- name: Call AI API
env:
API_KEY: $
run: |
curl -H "Authorization: Bearer $API_KEY" ...
- name: Call AI API
run: |
curl -H "Authorization: Bearer sk-1234567890abcdef" ...
Always use the principle of least privilege:
permissions:
contents: read # Read-only access to repository
issues: write # Only if needed
pull-requests: write # Only if needed
actions: read # Minimal permissions
Protect against injection attacks:
- name: Validate Input
run: |
# Sanitize user input
SAFE_INPUT=$(echo "$" | sed 's/[^a-zA-Z0-9 ]//g')
# Use validated input
echo "Processing: $SAFE_INPUT"
We automatically scan for:
- name: Security Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
severity: 'CRITICAL,HIGH'
jobs:
secure-api-call:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Validate Environment
run: |
if [ -z "$" ]; then
echo "::error::API key not configured"
exit 1
fi
- name: Make Secure API Call
env:
API_KEY: $
run: |
response=$(curl -s -w "\n%{http_code}" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
--fail-with-body \
"$API_ENDPOINT")
http_code=$(echo "$response" | tail -n1)
body=$(echo "$response" | sed '$d')
if [ "$http_code" -ne 200 ]; then
echo "::error::API call failed with status $http_code"
exit 1
fi
- name: Process Issue Safely
uses: actions/github-script@v7
with:
script: |
const issueBody = context.payload.issue.body || '';
// Sanitize input
const sanitized = issueBody
.replace(/[<>]/g, '') // Remove HTML tags
.substring(0, 10000); // Limit length
// Validate content
if (sanitized.includes('script') || sanitized.includes('eval')) {
core.setFailed('Potentially malicious content detected');
return;
}
// Process safely
console.log('Processing sanitized content...');
Our CI/CD pipeline includes:
Before submitting a PR, ensure:
# ❌ BAD: Logs API key
- run: echo "Using key: $"
# ✅ GOOD: Masks sensitive data
- run: echo "::add-mask::$"
# ❌ BAD: Command injection risk
- run: echo $
# ✅ GOOD: Quoted and sanitized
- run: echo "$"
# ❌ BAD: Too many permissions
permissions: write-all
# ✅ GOOD: Minimal required permissions
permissions:
issues: write
contents: read
We recognize security researchers who have helped improve our security:
| Researcher | Contribution | Date |
|---|---|---|
| @security-hero | Critical API key exposure fix | 2025-06 |
| @white-hat | Workflow injection prevention | 2025-05 |