feat: update security policy with new scanning tools (#49)

Reviewed-on: https://codeberg.org/nhcarrigan/docs/pulls/49 Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com> Co-committed-by: Naomi Carrigan <commits@nhcarrigan.com>
2024-12-27 02:50:09 +00:00 · 2024-12-27 02:50:09 +00:00 · e81471daff
commit e81471daff
parent 6fc0695aad
2 changed files with 25 additions and 12 deletions
--- a/src/content/docs/dev/servers.md
+++ b/src/content/docs/dev/servers.md
@ -298,17 +298,10 @@ git clone <url>
 cd /path/to/project
 ```

-:::tip
-If you already have the project cloned, remove any ignored files such as `node_modules`, `prod`, or `coverage`.
+Then sync the project up to the machine, ignoring any installed packages.

 ```bash
-rm -rf node_modules prod coverage <other directories and files>
-```
-
-Then sync the project up to the machine, ignoring the `.git` directory.
-
-```bash
-GLOBIGNORE='.git' scp -r ./* <server name>:/home/nhcarrigan/<project directory>
+rsync -av --exclude='node_modules' ./ <server name>:/home/nhcarrigan/<project directory>
 ```

 ## 6. Running a Project
--- a/src/content/docs/legal/security.md
+++ b/src/content/docs/legal/security.md
@ -102,15 +102,35 @@ Any information you provide in your vulnerability report will be handled in acco

 We will treat all vulnerability reports as confidential and will not share the information beyond what is necessary to address the reported issue.

-## 9. Compliance with Laws and Regulations
+## 9. Proactive Measures
+
+In order to maintain the best possible effort to protect your data and the safety of our applications, we implement the following proactive security measures.
+
+### 9.1. Code Scanning
+
+Our projects are scanned for potential security risks and vulnerabilities using SonarQube. You can view the latest scan reports [on our dashboard](https://quality.nhcarrigan.link).
+
+### 9.2. Local Scanning
+
+We also run a weekly scan on all of our projects using local tooling:
+
+- Gitleaks (to detect leaked secrets and credentials)
+- Grype (secondary detection for vulnerabilities in dependencies)
+- Snyk (in-depth scanning of code and dependencies)
+- Syft (to generate Software Bill of Materials for third-party auditors to use)
+- Trivy (to detect vulnerabilities in dependencies)
+
+The results of these scans are found at https://security.nhcarrigan.com
+
+## 10. Compliance with Laws and Regulations

 All security research and vulnerability disclosure activities must comply with all applicable local, state, and federal laws, as well as any relevant international laws.

-## 10. Policy Updates
+## 11. Policy Updates

 We reserve the right to update or modify this Security Policy at any time. Any changes will be effective immediately upon posting the updated policy on our website or repository.

-## 11. Contact Information
+## 12. Contact Information

 For any questions regarding this Security Policy, please contact us at `security@nhcarrigan.com`.