Thank you for helping to keep this project secure!

Please report security issues to [your security contact email] or via GitHub Security Advisories. We will respond as quickly as possible to address the issue.

This project follows strict security and privacy practices, suitable for healthcare and regulated environments:

• Branch protection rules are enabled for main.
• All status checks (build, test, lint, Snyk, code scanning) must pass before merging.

• Dependabot alerts and security updates are enabled to monitor for vulnerable dependencies.

• Secret scanning and push protection are enabled to prevent accidental exposure of secrets.

• Default workflow permissions are set to read-only.
• Jobs that require write access (e.g., releases) explicitly request it.

• All sensitive secrets (GPG, Snyk, Docker, etc.) are stored in GitHub Secrets and rotated regularly.

• GPG keys are imported, trusted, and cleaned up securely in CI/CD workflows.

• OIDC is used for cloud deployments where possible, avoiding static credentials.

• SBOMs are generated for every release and uploaded to GitHub as both artifacts and via the SBOM API.

• Snyk scans are run on every PR and push to main.
• SARIF results are uploaded to GitHub Code Scanning for visibility in the Security tab.

• Audit logging is enabled at the organization level for compliance and incident response.

• Only trusted, pinned actions are used in workflows.

• This policy and CI/CD security controls are documented and reviewed regularly.

For any questions or to report a security concern, please contact the maintainers.

You can verify signed releases and checksums using our public GPG key.

We generally support the latest major and minor releases. Please check the releases page for details.