| Version | Supported |
|---|---|
| main | ✅ Yes |
| develop | ✅ Yes |
| < 1.0 | ❌ No |
We use multiple security tools to protect our codebase:
- Runs: On every push, PR, and weekly schedule
- Languages: Python
- Queries: Security-extended + Quality checks
- Results: GitHub Security tab → Code scanning alerts
- Runs: On every commit
- Detects: API keys, passwords, tokens
- Protection: Push protection enabled (blocks commits)
- Runs: Weekly
- Scans: Python, Docker, GitHub Actions
- Action: Auto-creates PRs for vulnerable dependencies
DO NOT create a public GitHub issue for security vulnerabilities.
Instead:
- Email: w.aroca@insaing.com
- Subject: [SECURITY] Brief description
- Include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Time:
- Critical: 24 hours
- High: 48 hours
- Medium: 1 week
- Low: 2 weeks
Security fixes are released as soon as possible after verification.
Check the Security tab for all current vulnerabilities.
- Never commit secrets, API keys, or credentials
- Use environment variables for sensitive data
- Review CodeQL alerts before merging PRs
- Keep dependencies up to date
- Run security scans locally before pushing
- Always use the latest version from main branch
- Report security issues privately via email
- Review security advisories regularly
- Use strong authentication for all services
INSA Automation Corp implements defense-in-depth security:
- Code Analysis: CodeQL static analysis on every commit
- Network Security: Tailscale VPN for all remote access
- IDS/IPS: Suricata with 62,019+ rules
- SIEM: Wazuh central monitoring
- Compliance: IEC 62443 industrial cybersecurity standards
- Container Security: Regular Trivy scans
- Host Hardening: AppArmor, auditd, ClamAV
We maintain compliance with:
- IEC 62443 (Industrial Cybersecurity)
- NIST Cybersecurity Framework 2.0
- CISA Industrial Control Systems guidelines
For compliance documentation, contact: w.aroca@insaing.com