Skip to content

Security Policy

To ensure the integrity, safety, and reliability of the Dice Chess Engine, the repository employs a multi-tiered security and analysis strategy. This page documents our active security measures and outlines how to report vulnerabilities.


Our codebase is continuously monitored using industry-standard static analysis and security tools:

Layer Tool / Service Security Focus
Local Pre-commit gitleaks Prevents API keys, credentials, and secrets from entering git history.
CI Static Analysis CodeQL Analyzes the codebase for security flaws, syntax bugs, and common vulnerability patterns (SQL injections, path traversals).
CI Secret Scan gitleaks (via CodeRabbit) Double-checks all PR changes for secrets before merging to main.
Vulnerability Scanning SonarCloud Automatically flags code smells, logic errors, and security issues.
Dependency Audits Dependabot Regularly monitors and generates automated PRs to patch vulnerable NPM/Scala packages.
Push Protection GitHub Secret Scanning Rejects push events containing detected credentials.

If you discover a security vulnerability in the engine, please do not create a public issue or public pull request. Instead, submit a private report so we can resolve the issue before public disclosure.

Preferred Method: GitHub Private Vulnerability Report

Section titled “Preferred Method: GitHub Private Vulnerability Report”

GitHub provides a native, secure channel for vulnerability disclosure:

  1. Go to the main page of the dicechess-engine-scala repository.
  2. Under the repository name, click Security.
  3. In the left sidebar under Vulnerability reporting, click Advisories.
  4. Click Report a vulnerability to fill out a secure form.

You can also contact the maintainer directly via email: jegors.cemisovs@gmail.com. Please use a descriptive subject line (e.g., [Security Vulnerability] Dice Chess Engine).

  1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
  2. Investigation: We will triage the vulnerability and keep you updated on our progress.
  3. Resolution: Once a fix is verified, we will coordinate a patch release and mutually agree on a public disclosure date.