Security Policy
To ensure the integrity, safety, and reliability of the Dice Chess Engine, the repository employs a multi-tiered security and analysis strategy. This page documents our active security measures and outlines how to report vulnerabilities.
Active Security Measures
Section titled “Active Security Measures”Our codebase is continuously monitored using industry-standard static analysis and security tools:
| Layer | Tool / Service | Security Focus |
|---|---|---|
| Local Pre-commit | gitleaks |
Prevents API keys, credentials, and secrets from entering git history. |
| CI Static Analysis | CodeQL | Analyzes the codebase for security flaws, syntax bugs, and common vulnerability patterns (SQL injections, path traversals). |
| CI Secret Scan | gitleaks (via CodeRabbit) |
Double-checks all PR changes for secrets before merging to main. |
| Vulnerability Scanning | SonarCloud | Automatically flags code smells, logic errors, and security issues. |
| Dependency Audits | Dependabot | Regularly monitors and generates automated PRs to patch vulnerable NPM/Scala packages. |
| Push Protection | GitHub Secret Scanning | Rejects push events containing detected credentials. |
Private Vulnerability Reporting
Section titled “Private Vulnerability Reporting”If you discover a security vulnerability in the engine, please do not create a public issue or public pull request. Instead, submit a private report so we can resolve the issue before public disclosure.
Preferred Method: GitHub Private Vulnerability Report
Section titled “Preferred Method: GitHub Private Vulnerability Report”GitHub provides a native, secure channel for vulnerability disclosure:
- Go to the main page of the dicechess-engine-scala repository.
- Under the repository name, click Security.
- In the left sidebar under Vulnerability reporting, click Advisories.
- Click Report a vulnerability to fill out a secure form.
Alternative Method: Direct Contact
Section titled “Alternative Method: Direct Contact”You can also contact the maintainer directly via email: jegors.cemisovs@gmail.com. Please use a descriptive subject line (e.g., [Security Vulnerability] Dice Chess Engine).
Response and Disclosure Timeline
Section titled “Response and Disclosure Timeline”- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Investigation: We will triage the vulnerability and keep you updated on our progress.
- Resolution: Once a fix is verified, we will coordinate a patch release and mutually agree on a public disclosure date.