We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of azd-app seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue
- Disclose the vulnerability publicly before it has been addressed
How to report a vulnerability:
- File a private issue in this repository and mark it as security-related.
- Include:
- Type of vulnerability
- Full paths of source file(s) related to the manifestation of the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Communication: We will send you regular updates about our progress
- Timeline: We aim to patch critical vulnerabilities within 7 days
- Credit: If you would like, we will credit you in our release notes
When using azd-app:
- Keep Updated: Always use the latest version
- Validate Inputs: Never run commands with untrusted input
- Review Permissions: Ensure proper file and directory permissions
- Environment Variables: Protect sensitive environment variables
- Azure Credentials: Never commit credentials to source control
azd-app implements several security measures:
- Input Validation: All file paths are validated to prevent path traversal
- Command Sanitization: Script names are sanitized to prevent injection
- Secure Random: Cryptographically secure random number generation
- Timeout Protection: Commands have timeouts to prevent hung processes
- Error Handling: Comprehensive error handling with proper cleanup
We use the following tools to maintain security:
- gosec: Go security checker
- Go vulnerability database: Regular dependency scanning
- GitHub Dependabot: Automated dependency updates