MokoConsulting/MokoOnyx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 2 Activity
Files
development
MokoOnyx/SECURITY.md
Jonathan Miller 8258ed804a
Some checks failed
Standards Compliance / Secret Scanning (push) Successful in 3s
Details
Standards Compliance / License Header Validation (push) Successful in 4s
Details
Standards Compliance / Repository Structure Validation (push) Successful in 5s
Details
Standards Compliance / Coding Standards Check (push) Failing after 3s
Details
Standards Compliance / Version Consistency Check (push) Successful in 3s
Details
Standards Compliance / Workflow Configuration Check (push) Failing after 2s
Details
Standards Compliance / Documentation Quality Check (push) Successful in 3s
Details
Standards Compliance / README Completeness Check (push) Successful in 3s
Details
Standards Compliance / Git Repository Hygiene (push) Successful in 2s
Details
Standards Compliance / Script Integrity Validation (push) Successful in 4s
Details
Standards Compliance / Line Length Check (push) Failing after 4s
Details
Standards Compliance / File Naming Standards (push) Successful in 2s
Details
Standards Compliance / Insecure Code Pattern Detection (push) Successful in 3s
Details
Standards Compliance / Code Complexity Analysis (push) Successful in 3s
Details
Standards Compliance / Code Duplication Detection (push) Successful in 4s
Details
Standards Compliance / Dead Code Detection (push) Successful in 3s
Details
Standards Compliance / File Size Limits (push) Successful in 2s
Details
CodeQL Security Scanning / Analyze (javascript) (push) Failing after 1m9s
Details
Standards Compliance / Binary File Detection (push) Successful in 4s
Details
CodeQL Security Scanning / Analyze (actions) (push) Failing after 1m11s
Details
Standards Compliance / TODO/FIXME Tracking (push) Successful in 3s
Details
Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 5s
Details
Standards Compliance / Broken Link Detection (push) Successful in 5s
Details
Standards Compliance / Unused Dependencies Check (push) Successful in 7s
Details
Standards Compliance / API Documentation Coverage (push) Successful in 3s
Details
Standards Compliance / Accessibility Check (push) Successful in 3s
Details
Standards Compliance / Performance Metrics (push) Successful in 3s
Details
Standards Compliance / Enterprise Readiness Check (push) Successful in 3s
Details
Standards Compliance / Repository Health Check (push) Successful in 4s
Details
Standards Compliance / Terraform Configuration Validation (push) Successful in 6s
Details
CodeQL Security Scanning / Security Scan Summary (push) Successful in 1s
Details
Standards Compliance / Compliance Summary (push) Successful in 1s
Details
Repo Health / Access control (push) Successful in 1s
Details
Auto-Update SHA Hash / Update SHA-256 Hash in updates.xml (release) Successful in 4s
Details
Repo Health / Release configuration (push) Failing after 3s
Details
Repo Health / Scripts governance (push) Successful in 3s
Details
Repo Health / Repository health (push) Failing after 3s
Details
MokoOnyx v01.00.00 — initial release (successor to MokoCassiopeia) 
All files renamed from mokocassiopeia to mokoonyx.
Update server points to MokoOnyx repo.
Bridge migration removed (clean standalone template).
Version reset to 01.00.00.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-19 17:19:03 -05:00

186 lines
7.2 KiB
Markdown
Raw Permalink Blame History

<!--
Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
This file is part of a Moko Consulting project.
SPDX-License-Identifier: GPL-3.0-or-later
# FILE INFORMATION
DEFGROUP: Joomla.Template
INGROUP: MokoOnyx.Governance
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx
FILE: SECURITY.md
VERSION: 03.09.03
BRIEF: Security policy and vulnerability reporting process for MokoOnyx.
PATH: /SECURITY.md
NOTE: This policy is process oriented and does not replace secure engineering practices.
-->
## Security Policy
This document defines how MokoOnyx handles vulnerability intake, triage, remediation, and disclosure. The objective is to reduce risk, protect downstream users, and preserve operational continuity with a verifiable audit trail.
## Scope
This policy applies to:
* Repository source code, workflows, scripts, and build artifacts.
* Release packaging (ZIP outputs) generated from the repository.
* Configuration and metadata used for distribution (for example manifests and update metadata).
Out of scope:
* Vulnerabilities in upstream Joomla core, third party extensions, or external infrastructure not controlled by this repository.
* Issues that require physical access to a host, compromised administrator credentials, or a compromised hosting provider, unless the repository materially increases impact.
## Supported Versions
Security fixes are prioritized for:
* The latest released version.
* The current development line when it is actively used for release engineering.
Backports may be provided based on impact, deployment footprint, and engineering capacity.
## Reporting a Vulnerability
Use one of the following channels:
* GitHub Security Advisories (preferred): use the repository security tab to submit a private report.
* Email: send details to `hello@mokoconsulting.tech` with subject `SECURITY: MokoOnyx vulnerability report`.
Do not file a public GitHub issue for suspected security vulnerabilities.
### What to include
Provide enough detail to reproduce and triage:
* A clear description of the vulnerability and expected impact.
* A minimal proof of concept or reproduction steps.
* Affected versions, configuration assumptions, and environment details.
* Any proposed mitigation or patch.
* Your preferred contact details for follow up.
## Triage and Response Targets
The project operates with response targets aligned to practical delivery realities:
* **Acknowledgement:** within 3 business days.
* **Initial triage:** within 10 business days.
* **Fix plan:** communicated once severity is confirmed.
These targets are not guarantees. Complex issues, supply chain considerations, and coordination with upstream vendors may extend timelines.
## Severity Assessment
Issues are triaged based on business impact and technical exploitability, including:
* Remote exploitability and required privileges.
* Data confidentiality, integrity, and availability impact.
* Likelihood of exploitation in typical Joomla deployments.
* Exposure surface (public endpoints, administrator area, installation flows, and update mechanisms).
When appropriate, industry standard scoring such as CVSS may be used for internal prioritization.
## Coordinated Disclosure
The project follows coordinated vulnerability disclosure:
* Reports are treated as confidential until remediation is available.
* A public advisory may be published once a fix is released.
* A reasonable embargo period is expected to enable patch distribution.
If you believe disclosure is time sensitive due to active exploitation, include that assessment and any supporting indicators.
## Security Updates and Advisories
Security updates are distributed through:
* GitHub releases for the repository.
* GitHub Security Advisories when applicable.
Advisories may include:
* Affected versions and fixed versions.
* Mitigations and workarounds when a fix is not immediately available.
* Upgrade guidance.
## Dependencies and Supply Chain Controls
The project aims to manage supply chain risk through:
* Pinning and review of workflow dependencies where feasible.
* Minimizing privileged GitHub token permissions.
* Validating build inputs prior to packaging releases.
If you identify a supply chain issue (for example compromised action, dependency confusion, or malicious upstream artifact), report it as a vulnerability.
## Secure Development and CI Expectations
Security posture is reinforced through operational controls:
* CI validation for packaging inputs and manifest integrity.
* Consistent path normalization and whitespace hygiene checks where required for release correctness.
* Least privilege for GitHub Actions permissions.
### Template Security Features
**Custom Head Content Injection**
The template provides Custom Head Code fields (`custom_head_start` and `custom_head_end`) that allow administrators to inject custom HTML, CSS, and JavaScript code. This is an intentional feature for:
* Adding analytics scripts (Google Analytics, Google Tag Manager)
* Custom meta tags
* Third-party integrations
* Custom styling
**Security Considerations:**
* These fields use `filter="raw"` to allow HTML/JS injection
* **Access is restricted to Joomla administrators only** via template configuration
* This is not an XSS vulnerability as it requires administrator privileges
* Administrators should only add trusted code from verified sources
* Regular security audits should review custom head content
This policy does not guarantee that all vulnerabilities will be prevented. It defines how risk is managed when issues are discovered.
## Safe Harbor
The project supports good faith security research. When you:
* Avoid privacy violations, data destruction, and service disruption.
* Limit testing to systems you own or have explicit permission to test.
* Provide a reasonable window for coordinated disclosure.
Then the project will treat your report as a constructive security contribution.
Jurisdiction note: this repository is managed from Tennessee, USA. This note is informational only and does not constitute legal advice.
## Public Communications
Only maintainers will publish security advisories or public statements for confirmed vulnerabilities. Public communication will focus on actionable remediation and operational risk reduction.
## Acknowledgements
If you want credit, include the name or handle to list in an advisory. If you prefer anonymity, state that explicitly.
---
## Metadata
* **Document:** SECURITY.md
* **Repository:** [https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx](https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx)
* **Path:** /SECURITY.md
* **Owner:** Moko Consulting
* **Version:** 03.06.00
* **Status:** Active
* **Effective Date:** 2025-12-18
* **Last Reviewed:** 2025-12-18
## Revision History
| Date | Change Summary | Author |
| ---------- | ------------------------------------------------------------------------------------------------ | --------------- |
| 2026-01-30 | Added Template Security Features section documenting custom head content injection controls. | Copilot Agent |
| 2025-12-18 | Initial publication of security policy, intake channels, triage targets, and disclosure process. | Moko Consulting |
Reference in New Issue View Git Blame Copy Permalink