Skip to content

Security: zza-830/CVE-Radar

Security

SECURITY.md

Security Policy

Supported versions

Version Supported
main / latest release Yes
Older tags Best effort

Reporting a vulnerability

Please do not open a public GitHub issue for security-sensitive reports.

  1. Preferred: GitHub private security advisory
  2. Or contact maintainers with reproduction steps and impact.

We aim to acknowledge reports within 5 business days.

In scope

  • Authentication bypass, SSRF, or injection in CVE Radar server routes
  • Secret leakage via client bundle or logs
  • Rate-limit / DoS issues on /api/scan or /api/watch (separate middleware buckets; /scan/validate exempt)

Out of scope

  • Vulnerabilities inside third-party feeds (NVD, OSV, GitHub, CISA, RSS content)
  • Findings that only affect a misconfigured public deployment (expose .env, open admin ports without TLS)
  • Social engineering

Secure deployment

  • Keep NVD_API_KEY, GITHUB_TOKEN, translation keys, webhooks, and API_SECRET in server env or mounted secret files — never commit, ship to the browser, or bake into image layers. See docs/self-hosted/SECRETS.md.
  • For authenticated deployments, set API_SECRET on the server (or API_SECRET_FILE). The UI can send the same value via build-time VITE_API_KEY (single-tenant internal tool only). GET /api/health and GET /api/v1/health stay unauthenticated for load balancers.
  • RBAC: When API_SECRET is set, route permissions apply. Set API_ROLE to one of admin, scanner, viewer, or auditor (default admin for backward compatibility). OIDC group mapping is planned for a follow-up.

API roles (when API_SECRET is configured)

Role Permissions
admin Settings, tenant stack CRUD, scan/watch, translate, read meta and history
scanner Run scan/watch/validate, translate, read meta and history
viewer Read dashboard meta, translate (export UI), scan history — cannot run scans
auditor Read scan history/trends and meta — cannot scan, translate, or change stacks

Blocked example: API_ROLE=viewer returns 403 { "code": "FORBIDDEN" } on POST /api/scan.

  • Run behind HTTPS; restrict who can reach the API port.
  • Tune RATE_LIMIT_SCAN_PER_MIN, RATE_LIMIT_WATCH_PER_MIN, and SCAN_TIMEOUT_MS if the instance is internet-facing (see .env.example).
  • HTTP security headers: production (NODE_ENV=production) enables Helmet — CSP, X-Content-Type-Options, Referrer-Policy, and HSTS. Upstream CVE feeds are fetched server-side; browser connect-src is 'self' only. CSP allows Google Fonts and jsDelivr (Vazirmatn CSS). See server/middleware/securityHeaders.ts.
  • This tool aggregates public feeds for awareness; validate with vendor advisories before acting.

CI

Dependency review: npm audit in CI, Dependabot, CodeQL on main and PRs.

There aren't any published security advisories