jmiller 7319825960
Universal: CodeQL Analysis / Security Scan Summary (push) Blocked by required conditions
MCP: Standards Compliance / Compliance Summary (push) Blocked by required conditions
Universal: Changelog Validation / Validate CHANGELOG.md (push) Failing after 4s
MCP: Build & Release / Build, Validate & Release (push) Failing after 15s
MCP: Build & Validate / build (20) (push) Failing after 10s
Universal: CodeQL Analysis / Analyze (actions) (push) Failing after 1m7s
MCP: Tool Inventory / inventory (push) Failing after 8s
Publish to npm / publish (push) Failing after 8s
MCP: Standards Compliance / Secret Scanning (push) Successful in 6s
MCP: Standards Compliance / License Header Validation (push) Successful in 6s
MCP: Standards Compliance / Repository Structure Validation (push) Failing after 6s
MCP: Standards Compliance / Coding Standards Check (push) Failing after 7s
MCP: Standards Compliance / Workflow Configuration Check (push) Failing after 6s
MCP: Standards Compliance / Documentation Quality Check (push) Successful in 7s
MCP: Build & Validate / build (22) (push) Failing after 33s
MCP: Standards Compliance / README Completeness Check (push) Failing after 7s
MCP: Standards Compliance / Git Repository Hygiene (push) Successful in 8s
MCP: Standards Compliance / Line Length Check (push) Failing after 8s
MCP: Standards Compliance / Script Integrity Validation (push) Successful in 11s
MCP: Standards Compliance / File Naming Standards (push) Successful in 7s
MCP: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 6s
MCP: Standards Compliance / Dead Code Detection (push) Successful in 8s
Universal: CodeQL Analysis / Analyze (javascript) (push) Failing after 1m16s
MCP: Standards Compliance / File Size Limits (push) Successful in 5s
MCP: Standards Compliance / Binary File Detection (push) Successful in 6s
MCP: Standards Compliance / TODO/FIXME Tracking (push) Successful in 4s
MCP: Standards Compliance / Version Consistency Check (push) Successful in 1m11s
MCP: Standards Compliance / Broken Link Detection (push) Successful in 7s
MCP: Standards Compliance / API Documentation Coverage (push) Successful in 7s
MCP: Standards Compliance / Accessibility Check (push) Successful in 6s
MCP: Standards Compliance / Performance Metrics (push) Successful in 6s
MCP: Standards Compliance / Code Complexity Analysis (push) Successful in 1m18s
MCP: Standards Compliance / Code Duplication Detection (push) Successful in 1m19s
MCP: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 1m11s
MCP: Standards Compliance / Terraform Configuration Validation (push) Successful in 21s
MCP: Standards Compliance / Unused Dependencies Check (push) Successful in 1m29s
MCP: Standards Compliance / Enterprise Readiness Check (push) Failing after 1m16s
MCP: Standards Compliance / Repository Health Check (push) Failing after 1m14s
Universal: Sync Version on Merge / Propagate README version (push) Failing after 1m4s
Merge pull request 'chore: rebrand mokowaas→mokosuite (content)' (#23) from chore/rebrand-mokosuite-content-2 into main
2026-07-05 02:43:55 +00:00
2026-07-05 02:39:05 +00:00
2026-01-15 20:27:41 -06:00
2026-01-15 20:27:41 -06:00
2026-01-15 20:27:41 -06:00
2026-01-15 20:27:41 -06:00
2026-01-15 20:27:41 -06:00
2026-07-05 02:20:51 +00:00
2026-04-26 16:35:57 +00:00

Security Policy

Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for [PROJECT_NAME] and all repositories governed by these standards. It establishes the authoritative process for responsible disclosure, assessment, remediation, and communication of security issues.

Supported Versions

Security updates are provided for the following versions:

Version Supported
[X.x.x]
< [X.0]

Only the current major version receives security updates. Users should upgrade to the latest supported version to receive security patches.

Reporting a Vulnerability

Report security vulnerabilities via Gitea issue (preferred): https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-Template-Generic/issues/new?template=security.yaml

Or email: hello@mokoconsulting.tech

Where to Report

DO NOT create public GitHub issues for security vulnerabilities.

Report security vulnerabilities privately to:

Email: security@[DOMAIN]

Subject Line: [SECURITY] Brief Description

What to Include

A complete vulnerability report should include:

  1. Description: Clear explanation of the vulnerability
  2. Impact: Potential security impact and severity assessment
  3. Affected Versions: Which versions are vulnerable
  4. Reproduction Steps: Detailed steps to reproduce the issue
  5. Proof of Concept: Code, configuration, or demonstration (if applicable)
  6. Suggested Fix: Proposed remediation (if known)
  7. Disclosure Timeline: Your expectations for public disclosure

Response Timeline

  • Initial Response: Within 3 business days
  • Assessment Complete: Within 7 business days
  • Fix Timeline: Depends on severity (see below)
  • Disclosure: Coordinated with reporter

Severity Classification

Vulnerabilities are classified using the following severity levels:

Critical

  • Remote code execution
  • Authentication bypass
  • Data breach or exposure of sensitive information
  • Fix Timeline: 7 days

High

  • Privilege escalation
  • SQL injection or command injection
  • Cross-site scripting (XSS) with significant impact
  • Fix Timeline: 14 days

Medium

  • Information disclosure (limited scope)
  • Denial of service
  • Security misconfigurations with moderate impact
  • Fix Timeline: 30 days

Low

  • Security best practice violations
  • Minor information leaks
  • Issues requiring user interaction or complex preconditions
  • Fix Timeline: 60 days or next release

Remediation Process

  1. Acknowledgment: Security team confirms receipt and begins investigation
  2. Assessment: Vulnerability is validated, severity assigned, and impact analyzed
  3. Development: Security patch is developed and tested
  4. Review: Patch undergoes security review and validation
  5. Release: Fixed version is released with security advisory
  6. Disclosure: Public disclosure follows coordinated timeline

Security Advisories

Security advisories are published via:

  • GitHub Security Advisories
  • Release notes and CHANGELOG.md
  • Security mailing list (when established)

Advisories include:

  • CVE identifier (if applicable)
  • Severity rating
  • Affected versions
  • Fixed versions
  • Mitigation steps
  • Attribution (with reporter consent)

Security Best Practices

For repositories adopting MokoStandards:

Required Controls

  • Enable GitHub security features (Dependabot, code scanning)
  • Implement branch protection on main
  • Require code review for all changes
  • Enforce signed commits (recommended)
  • Use secrets management (never commit credentials)
  • Maintain security documentation
  • Follow secure coding standards defined in /docs/policy/

CI/CD Security

  • Validate all inputs
  • Sanitize outputs
  • Use least privilege access
  • Pin dependencies with hash verification
  • Scan for vulnerabilities in dependencies
  • Audit third-party actions and tools

Automated Security Scanning

All repositories MUST implement:

CodeQL Analysis:

  • Enabled for all supported languages (Python, JavaScript, TypeScript, Java, C/C++, C#, Go, Ruby)
  • Runs on: push to main, pull requests, weekly schedule
  • Query sets: security-extended and security-and-quality
  • Configuration: .github/workflows/codeql-analysis.yml

Dependabot Security Updates:

  • Weekly scans for vulnerable dependencies
  • Automated pull requests for security patches
  • Configuration: .github/dependabot.yml

Secret Scanning:

  • Enabled by default with push protection
  • Prevents accidental credential commits
  • Partner patterns enabled

Dependency Review:

  • Required for all pull requests
  • Blocks introduction of known vulnerable dependencies
  • Automatic license compliance checking

See Security Scanning Policy for detailed requirements.

Dependency Management

  • Keep dependencies up to date
  • Monitor security advisories for dependencies
  • Remove unused dependencies
  • Audit new dependencies before adoption
  • Document security-critical dependencies

Compliance and Governance

This security policy is binding for all repositories governed by MokoStandards. Deviations require documented justification and approval from the Security Owner.

Security policies are reviewed and updated at least annually or following significant security incidents.

Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will:

  • Credit you in security advisories
  • List you in CHANGELOG.md for the fix release
  • Recognize your contribution publicly (if desired)

Contact and Escalation

  • Security Team: security@[DOMAIN]
  • Primary Contact: [CONTACT_EMAIL]
  • Escalation: For urgent matters requiring immediate attention, contact the maintainer directly via GitHub

Out of Scope

The following are explicitly out of scope:

  • Issues in third-party dependencies (report directly to maintainers)
  • Social engineering attacks
  • Physical security issues
  • Denial of service via resource exhaustion without amplification
  • Issues requiring physical access to systems
  • Theoretical vulnerabilities without proof of exploitability

Metadata

Field Value
Document Security Policy
Path /SECURITY.md
Repository [REPOSITORY_URL]
Owner [OWNER_NAME]
Scope Security vulnerability handling
Applies To All repositories governed by MokoStandards
Status Active
Effective [YYYY-MM-DD]

Revision History

Date Change Description Author
[YYYY-MM-DD] Initial creation [AUTHOR_NAME]
S
Description
MCP server for MokoSuite Joomla Web Services API operations
Readme GPL-3.0
1.2 MiB
2026-04-13 06:07:57 +00:00
Languages
Markdown 46.4%
TypeScript 41.3%
Makefile 11%
JSON 1.3%