Bookscope / SECURITY.md
SpanishPeacoq's picture
Deploy Bookscope to official hackathon Space
436b436 verified
|
Raw
History Blame Contribute Delete
1.49 kB

A newer version of the Gradio SDK is available: 6.20.0

Upgrade

Security

Supported Scope

This project is early-stage unless stated otherwise. Security expectations still apply to local development, tests, documentation, and deployment scripts.

Secret Handling

  • Do not commit .env files containing real values.
  • Use .env.example to document required variables.
  • Never commit tokens, private keys, passwords, session cookies, or production credentials.
  • Redact secrets from logs, screenshots, issues, and documentation.

Security-Sensitive Areas

Treat these changes as requiring extra review:

  • Authentication and authorization.
  • Database queries and migrations.
  • File upload, parsing, or path handling.
  • Shell command execution.
  • External webhooks or callbacks.
  • Dependency additions or upgrades.
  • CI/CD, deployment, and infrastructure configuration.

Dependency Standard

Before adding a dependency, consider:

  • Is it necessary?
  • Is it actively maintained?
  • Is the license acceptable?
  • Does it meaningfully increase attack surface?

Reporting Issues

For private projects, report security issues directly to the repository owner. For public projects, replace this section with a private contact method or GitHub Security Advisory instructions.

Pre-Release Checklist

  • No secrets are committed.
  • Environment variables are documented in .env.example.
  • Relevant tests pass.
  • Authentication and authorization flows have been reviewed.
  • Logs avoid sensitive data.
  • Dependencies are reviewed for obvious risk.