Add security policy and config for dependabot (#52)

mckinsey · Sep 21, 2023 · ca8b68b · ca8b68b
1 parent e697860
commit ca8b68b
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Github Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+  # Python
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+Security is very important for Vizro and its community 🔒
+
+If you believe you have found a security vulnerability, please report it to us as described below.
+
+## Supported Versions
+
+The latest version of Vizro is supported. We encourage you to update your Vizro version frequently, this way you will benefit from the latest features, bug fixes, and **security fixes**.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues to limit the potential impact on current users.**
+
+If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: [email protected]
+
+Please try to be as explicit as possible to help us better understand the nature and scope of the possible issue by providing:
+
+- Type of issue (e.g. cross-site scripting, SQL injection, etc.)
+- Impact of the issue, including how an attacker might exploit the issue
+- Step-by-step instructions to reproduce the issue
+- Example code or any special configuration to reproduce the issue
+- Location of the affected source code (e.g. branch/commit/URL)
+
+We will review it thoroughly and get back to you. If the issue is confirmed, we will release a patch as soon as possible.
+
+---
+
+Thanks for your help!
+
+The Vizro team thanks you for that 🙇
diff --git a/vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md b/vizro-core/changelog.d/20230921_201427_huong_li_nguyen_enable_dependabot.md
@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category.
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->