Skip to content

Security: YawLabs/ai-pricing

Security

Report a vulnerability

SECURITY.md

Security policy

This repo handles data that becomes customer-facing cost numbers downstream. Security is a first-class concern.

Reporting a vulnerability

Preferred: Use GitHub's private vulnerability reporting — https://github.com/YawLabs/ai-pricing/security/advisories/new. That opens a private advisory visible only to you and the maintainers; TLS-only transport, no key management, auditable workflow.

Fallback: Email security@mcp.hosting. Do not open a public issue.

We commit to:

  • Acknowledge receipt within 72 hours
  • Provide initial assessment within 7 days
  • Coordinate public disclosure on a mutually agreed timeline
  • Credit you in release notes (unless you request anonymity)

Scope

In scope for vulnerability reports

  • Supply-chain attacks via GitHub Actions, dependencies, or build process
  • Price data manipulation that would cause downstream billing misattribution
  • SLSA provenance forgery or verification bypass
  • Signed commit bypass, branch protection bypass
  • Credential exposure in CI logs or committed files
  • Any vulnerability in tooling scripts under scripts/

Out of scope

  • The accuracy of specific price values (file a normal issue/PR)
  • Pricing-page scraping failures (those are reliability, not security)
  • Third-party provider security issues (report to the provider)

Supply-chain controls

GitHub Actions

Policy: every action referenced MUST be pinned to a full commit SHA. Tag-pinning and branch-pinning are blocked by CI.

Example compliant reference:

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Non-compliant:

- uses: actions/checkout@v4  # BLOCKED — mutable tag
- uses: actions/checkout@main # BLOCKED — branch

The .github/workflows/validate.yml job action-pinning-check enforces this. PRs with unpinned actions fail review.

Dependencies

  • Dependabot enabled, security-only updates auto-merged for patch versions after CI passes
  • Dependency review action runs on every PR (blocks new high-severity CVEs)
  • CodeQL runs weekly + on every PR

Release integrity

Every tagged release ships with:

  1. SLSA Level 3 provenance.intoto.jsonl attestation generated by slsa-framework/slsa-github-generator
  2. SBOM (CycloneDX + SPDX) — generated by anchore/sbom-action
  3. Signed tag — release tags are GPG-signed by maintainer
  4. Immutable release artifacts — tarball + checksum, never overwritten

Verify a release yourself with the slsa-verifier instructions in the README.

Signing + provenance

  • Commit signing: maintainers have commit signing enforced via branch protection
  • Tag signing: release tags are GPG-signed
  • Artifact provenance: SLSA Level 3 provenance attached to every GitHub release (OIDC-signed, no long-lived token); verifiable with slsa-verifier
  • Keyless signing: Sigstore cosign via GitHub OIDC for release artifacts

Threat model

See THREAT_MODEL.md for the full STRIDE-style analysis.

Incident response

If a compromise is confirmed:

  1. Immediate: affected GitHub releases marked as compromised; public issue opened with [SECURITY] tag describing scope
  2. Within 24h: post-mortem draft published; all users notified via GitHub Security Advisory
  3. Within 7d: fix released with a new version + SLSA provenance; full post-mortem published

Our response benchmark is the LiteLLM March 2026 incident — 40 minutes to PyPI quarantine after public disclosure. We aim for the same or better.

Current security posture checklist

Implemented:

  • All GitHub Actions SHA-pinned, enforced by action-pinning-check in .github/workflows/validate.yml
  • Dependabot enabled (.github/dependabot.yml)
  • CodeQL scanning enabled (.github/workflows/codeql.yml)
  • Dependency review on PRs (.github/workflows/dependency-review.yml)
  • SBOM generation on every release (anchore/sbom-action in .github/workflows/release.yml)
  • SLSA Level 3 provenance on every release (slsa-framework/slsa-github-generator in .github/workflows/release.yml)
  • Branch protection rules version-controlled in repo (docs/branch-protection.md + docs/branch-protection-payload.json)
  • Public threat model documented (THREAT_MODEL.md)
  • Security contact published (security@mcp.hosting + GitHub private vulnerability reporting)
  • Branch protection rules applied to main via GitHub rulesets (docs/branch-protection.md documents ruleset IDs 15144744 + 15144663)
  • Signed-tag enforcement on the v* tag pattern (ruleset 15144663)

Outstanding (tracked as known gaps; PRs welcome):

  • Signed commits required on main. Deliberately not enforced — solo maintainer without local signing configured. Re-enable by adding { "type": "required_signatures" } to docs/branch-protection-payload.json and re-applying.

Distribution

This project distributes via GitHub releases only (tarball + SLSA provenance + SBOM). It does not publish to npm. The package.json exists solely for local validator tooling and is marked "private": true.

Checkmarks updated as each control lands. See commit history for evidence.

There aren’t any published security advisories