diff --git a/.gitignore b/.gitignore index f8ddaa9..933cae7 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,21 @@ build dist docs/_build venv +*.pyc +*.pyo +*.pyd +.Python +env/ +ENV/ +.env +.venv +pip-log.txt +pip-delete-this-directory.txt +.coverage +htmlcov/ +.tox/ +.hypothesis/ +*.egg +.eggs/ +*.log +.DS_Store diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..cd10141 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,79 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.5.0] - 2024-12-XX + +### Added +- **I/O Mode**: New `cdp.connection` module providing WebSocket I/O, JSON-RPC framing, and command multiplexing +- **8 New Domains**: Extensions, FedCm, DeviceAccess, FileSystem, Autofill, BluetoothEmulation, PWA, Preload +- **Privacy Sandbox APIs**: Comprehensive support for Attribution Reporting, Shared Storage, Interest Groups/FLEDGE +- Security-focused APIs for testing federated authentication, device permissions, and extension boundaries +- Bounce tracking mitigation testing capabilities +- IP protection proxy status and control +- Related Website Sets (First-Party Sets) support +- Form security issue detection via Audits domain +- Privacy Sandbox enrollment override for testing +- Enhanced cookie controls for third-party cookie testing + +### Changed +- Updated to Chrome DevTools Protocol version 1.3 (latest) +- Fixed same-domain type reference bug in code generator (e.g., `Network.TimeSinceEpoch` now correctly resolves) +- Improved code generator to protect manually-written files (connection.py, util.py) +- `page.navigate()` now returns 4 values instead of 3 (added `is_download` parameter) + +### Removed +- **Breaking Change**: Removed deprecated Database domain (use IndexedDB, Storage, or Cache Storage APIs instead) + +### Security +- Added comprehensive security testing capabilities for Privacy Sandbox +- Enhanced storage domain with privacy-preserving measurement APIs +- Added attribution reporting and shared storage tracking +- Improved form security auditing + +## [0.4.0] - Previous Release + +### Added +- Initial sans-I/O implementation +- Type wrappers for Chrome DevTools Protocol +- Automatic code generation from CDP specification +- Support for Python 3.7+ + +## Migration Guide + +### From 0.4.x to 0.5.0 + +#### Database Domain Removed +```python +# Old (no longer works) +from cdp import database +await conn.execute(database.some_command()) + +# New - Use IndexedDB instead +from cdp import indexed_db +await conn.execute(indexed_db.request_database_names(security_origin="https://example.com")) +``` + +#### page.navigate() Return Signature Changed +```python +# Old (3 values) +frame_id, loader_id, error_text = await conn.execute(page.navigate(url="...")) + +# New (4 values - added is_download) +frame_id, loader_id, error_text, is_download = await conn.execute(page.navigate(url="...")) +``` + +## Links + +- [Repository](https://github.com/HyperionGray/python-chrome-devtools-protocol) +- [Documentation](https://py-cdp.readthedocs.io) +- [PyPI](https://pypi.org/project/chrome-devtools-protocol/) +- [Chrome DevTools Protocol](https://chromedevtools.github.io/devtools-protocol/) + +--- + +For detailed security-relevant updates, see [SECURITY.md](SECURITY.md). +For implementation details, see [IMPLEMENTATION.md](IMPLEMENTATION.md). diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..b3e66b6 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,127 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at the project +repository. All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by [Mozilla's code of conduct +enforcement ladder](https://github.com/mozilla/diversity). + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at +https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..2ff26a8 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,143 @@ +# Contributing to PyCDP + +Thank you for your interest in contributing to Python Chrome DevTools Protocol (PyCDP)! This document provides guidelines for contributing to the project. + +## Getting Started + +### Prerequisites + +- Python 3.7 or higher +- [Poetry](https://python-poetry.org/) for dependency management + +### Setting Up Your Development Environment + +1. Fork the repository on GitHub +2. Clone your fork locally: + ```bash + git clone https://github.com/YOUR_USERNAME/python-chrome-devtools-protocol.git + cd python-chrome-devtools-protocol + ``` +3. Install dependencies: + ```bash + poetry install + ``` + +## Development Workflow + +### Code Generation + +This project automatically generates Python wrappers from the Chrome DevTools Protocol specification. Most code in the `cdp/` directory (except `connection.py` and `util.py`) is auto-generated. + +To regenerate the protocol wrappers: +```bash +poetry run make generate +``` + +### Running Tests + +Run the test suite: +```bash +poetry run make test-cdp +poetry run make test-generate +``` + +Or run all checks: +```bash +poetry run make +``` + +### Type Checking + +We use mypy for static type checking: +```bash +poetry run make mypy-cdp +poetry run make mypy-generate +``` + +### Building Documentation + +To build the documentation: +```bash +poetry run make docs +``` + +## Making Changes + +### Code Style + +- Follow PEP 8 style guidelines +- Use type hints for all function signatures +- Keep code clear and well-documented + +### Commit Messages + +- Use clear and descriptive commit messages +- Reference issue numbers when applicable +- Keep commits focused on a single change + +### Pull Requests + +1. Create a new branch for your changes: + ```bash + git checkout -b feature/your-feature-name + ``` +2. Make your changes and commit them +3. Push to your fork and submit a pull request +4. Ensure all tests pass and type checking succeeds +5. Provide a clear description of your changes + +## What to Contribute + +### Areas for Contribution + +- **Bug fixes**: Fix issues in the connection module or utility functions +- **Documentation**: Improve examples, tutorials, or API documentation +- **Tests**: Add test coverage for existing functionality +- **Examples**: Add new usage examples in the `examples/` directory + +### Code Generation Changes + +If you need to modify code generation: +- Edit files in the `generator/` directory +- Run the generator and verify the output +- Ensure all tests still pass +- Add tests for your generator changes + +### Protocol Updates + +The protocol definitions are automatically fetched from the Chrome DevTools Protocol repository. If you need to update to a newer protocol version, please open an issue first to discuss the change. + +## Reporting Issues + +### Bug Reports + +When reporting bugs, please include: +- Python version +- PyCDP version +- Steps to reproduce +- Expected vs. actual behavior +- Error messages or stack traces + +### Feature Requests + +For feature requests: +- Clearly describe the feature +- Explain the use case +- Consider if it fits the project's scope + +## Code of Conduct + +Please be respectful and constructive in all interactions. We are committed to providing a welcoming and inclusive environment for all contributors. + +## Questions? + +If you have questions about contributing, please: +- Check existing issues and pull requests +- Open a new issue with your question +- Tag it appropriately for visibility + +## License + +By contributing to PyCDP, you agree that your contributions will be licensed under the MIT License. + +Thank you for contributing to PyCDP! diff --git a/README.md b/README.md index 70504e3..fb71eb1 100644 --- a/README.md +++ b/README.md @@ -79,10 +79,6 @@ See the [examples directory](examples/) for more usage patterns. For users who prefer to manage their own I/O: -## Sans-I/O Mode (Original) - -For users who prefer to manage their own I/O: - ```python from cdp import page @@ -90,6 +86,65 @@ frame_id = page.FrameId('my id') assert repr(frame_id) == "FrameId('my id')" ``` +## API Reference + +PyCDP provides Python wrappers for all Chrome DevTools Protocol domains. Here are some commonly used domains: + +### Core Domains +- **`cdp.page`** - Page navigation, lifecycle, and screenshot capabilities +- **`cdp.network`** - Network request/response monitoring and modification +- **`cdp.runtime`** - JavaScript runtime interaction and evaluation +- **`cdp.dom`** - DOM tree inspection and manipulation +- **`cdp.debugger`** - JavaScript debugging capabilities + +### Browser Control +- **`cdp.browser`** - Browser-level operations and window management +- **`cdp.target`** - Target (tab/page) creation and management +- **`cdp.emulation`** - Device emulation and viewport control +- **`cdp.input_`** - Input event simulation (mouse, keyboard, touch) + +### Monitoring & Analysis +- **`cdp.performance`** - Performance metrics and profiling +- **`cdp.console`** - Console message handling +- **`cdp.log`** - Log entry handling +- **`cdp.tracing`** - Chrome tracing for performance analysis + +### Storage & Security +- **`cdp.storage`** - Storage management (cookies, cache, IndexedDB, Privacy Sandbox) +- **`cdp.security`** - Security state and certificate information +- **`cdp.audits`** - Automated security and privacy issue detection +- **`cdp.fetch`** - Network request interception and modification + +### Advanced Features +- **`cdp.extensions`** - Browser extension management and testing +- **`cdp.fed_cm`** - Federated Credential Management (FedCM) testing +- **`cdp.device_access`** - Device permission prompt handling +- **`cdp.web_authn`** - WebAuthn virtual authenticator support + +For complete API documentation, see the [full documentation](https://py-cdp.readthedocs.io). + +## Examples + +Check the [examples directory](examples/) for practical usage examples. + +## Contributing + +We welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. + +## Security + +For security-related matters, please see [SECURITY.md](SECURITY.md). + +## Changelog + +See [CHANGELOG.md](CHANGELOG.md) for version history and migration guides. + +## Documentation + For more information, see the [complete documentation](https://py-cdp.readthedocs.io). +## License + +This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. + define hyperion gray diff --git a/SECURITY_UPDATES.md b/SECURITY.md similarity index 86% rename from SECURITY_UPDATES.md rename to SECURITY.md index 669d78f..05faee8 100644 --- a/SECURITY_UPDATES.md +++ b/SECURITY.md @@ -1,3 +1,34 @@ +# Security Policy + +## Reporting Security Vulnerabilities + +If you discover a security vulnerability in PyCDP, please report it by: + +1. **Do NOT** open a public issue +2. Email the maintainers directly (see repository for contact information) +3. Include detailed information about the vulnerability: + - Description of the issue + - Steps to reproduce + - Potential impact + - Suggested fix (if available) + +We will respond to security reports within 48 hours and work with you to address the issue promptly. + +## Security Scanning Setup + +For information on setting up automated security scanning for this project, see [SECURITY_SETUP.md](SECURITY_SETUP.md). + +## Supported Versions + +We provide security updates for the following versions: + +| Version | Supported | +| ------- | ------------------ | +| 0.5.x | :white_check_mark: | +| < 0.5 | :x: | + +--- + # Security-Relevant API Updates This document highlights the security-relevant additions to the Chrome DevTools Protocol implementation in this update. @@ -223,7 +254,9 @@ frame_id, loader_id, error_text, is_download = await conn.execute(page.navigate( ## Examples -See `/tmp/security_examples.py` for comprehensive code examples demonstrating all new security APIs. +For practical examples demonstrating the security-focused APIs, see the [examples directory](examples/) and the usage examples throughout this document. + +You can also refer to the [Chrome DevTools Protocol documentation](https://chromedevtools.github.io/devtools-protocol/) for additional examples and specifications. ## Version Information diff --git a/SECURITY_SETUP.md b/SECURITY_SETUP.md new file mode 100644 index 0000000..9e846cd --- /dev/null +++ b/SECURITY_SETUP.md @@ -0,0 +1,412 @@ +# Security Scanning Setup Guide + +This document provides instructions for setting up automated security scanning for the PyCDP project. + +## Overview + +Automated security scanning helps identify vulnerabilities in dependencies, detect hardcoded secrets, and ensure code follows security best practices. + +## Recommended Security Tools + +### 1. Dependabot (GitHub Native) + +Dependabot automatically checks for dependency vulnerabilities and creates pull requests to update vulnerable dependencies. + +**Setup:** +1. Go to your repository's Settings → Security & analysis +2. Enable "Dependabot alerts" +3. Enable "Dependabot security updates" +4. (Optional) Enable "Dependabot version updates" + +**Configuration:** Create `.github/dependabot.yml`: + +```yaml +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + reviewers: + - "your-team" + labels: + - "dependencies" + - "security" +``` + +### 2. CodeQL (GitHub Native) + +CodeQL performs semantic code analysis to find security vulnerabilities. + +**Setup:** +Create `.github/workflows/codeql-analysis.yml`: + +```yaml +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '0 0 * * 1' # Weekly on Monday + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 +``` + +### 3. Safety (Python Dependency Scanner) + +Safety checks Python dependencies for known security vulnerabilities. + +**Installation:** +```bash +poetry add --group dev safety +``` + +**Usage:** +```bash +poetry run safety check +``` + +**CI Integration:** Add to your workflow: + +```yaml +- name: Check dependencies for vulnerabilities + run: poetry run safety check --json +``` + +### 4. Bandit (Python Security Linter) + +Bandit finds common security issues in Python code. + +**Installation:** +```bash +poetry add --group dev bandit +``` + +**Usage:** +```bash +poetry run bandit -r cdp/ generator/ -ll +``` + +**Configuration:** Create `.bandit`: + +```yaml +exclude_dirs: + - /test/ + - /docs/ +tests: + - B201 # Flask debug mode + - B301 # Pickle usage + - B302 # Marshal usage + - B303 # MD5/SHA1 usage + - B304 # Insecure ciphers + - B305 # Insecure cipher modes + - B306 # mktemp usage + - B307 # eval usage + - B308 # mark_safe usage + - B309 # HTTPSConnection + - B310 # URL open + - B311 # Random usage + - B312 # Telnet usage + - B313 # XML parsing vulnerabilities + - B314 # XML element tree vulnerabilities + - B315 # XML expat vulnerabilities + - B316 # XML sax vulnerabilities + - B317 # XML minidom vulnerabilities + - B318 # XML pull DOM vulnerabilities + - B319 # XML etree vulnerabilities + - B320 # XML lxml vulnerabilities + - B321 # FTP usage + - B323 # Unverified SSL context + - B324 # Insecure hash functions + - B325 # Tempfile usage + - B401 # Import telnetlib + - B402 # Import ftplib + - B403 # Import pickle + - B404 # Import subprocess + - B405 # Import xml.etree + - B406 # Import xml.sax + - B407 # Import xml.dom + - B408 # Import xml.minidom + - B409 # Import xml.pulldom + - B410 # Import lxml + - B411 # Import xmlrpc + - B412 # Import httpoxy + - B413 # Import pycrypto + - B501 # Request with verify=False + - B502 # SSL with bad defaults + - B503 # SSL with bad version + - B504 # SSL with bad ciphers + - B505 # Weak cryptographic key + - B506 # YAML load + - B507 # SSH with bad defaults + - B508 # SNI missing + - B509 # MD5 hash + - B601 # Shell=True in subprocess + - B602 # Shell=True in popen + - B603 # Untrusted input in subprocess + - B604 # Shell=True with call + - B605 # Starting process with shell + - B606 # No shell escape + - B607 # Start process with partial path + - B608 # SQL injection + - B609 # Linux commands wildcard + - B610 # Django extra + - B611 # Django rawsql + - B612 # Logging config dictConfig + - B701 # Jinja2 autoescape + - B702 # Mako templates + - B703 # Django mark safe +``` + +### 5. pip-audit (Python Package Auditing) + +pip-audit scans Python packages for known vulnerabilities. + +**Installation:** +```bash +pip install pip-audit +``` + +**Usage:** +```bash +pip-audit +``` + +### 6. Secret Scanning (GitHub Native) + +GitHub automatically scans repositories for known types of secrets. + +**Setup:** +1. Go to repository Settings → Security & analysis +2. Enable "Secret scanning" +3. Enable "Push protection" to prevent accidental secret commits + +### 7. Trivy (Container & Dependency Scanner) + +Trivy scans for vulnerabilities in dependencies and containers. + +**Usage:** +```bash +trivy fs --severity HIGH,CRITICAL . +``` + +## Recommended CI/CD Security Workflow + +Create `.github/workflows/security.yml`: + +```yaml +name: Security Scanning + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '0 0 * * 1' # Weekly + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install Poetry + uses: snok/install-poetry@v1 + + - name: Install dependencies + run: poetry install + + - name: Run Safety + run: poetry run safety check --json + continue-on-error: true + + - name: Run Bandit + run: poetry run bandit -r cdp/ generator/ -ll + continue-on-error: true + + - name: Run pip-audit + run: | + pip install pip-audit + pip-audit + continue-on-error: true +``` + +## Best Practices + +### 1. Keep Dependencies Updated +- Regularly update dependencies with `poetry update` +- Review and merge Dependabot PRs promptly +- Test updates in a staging environment first + +### 2. Validate User Input +- Always validate and sanitize external inputs +- Use parameterized queries for database operations +- Validate WebSocket messages received from browsers + +### 3. Secure Credential Management +- Never commit secrets to version control +- Use environment variables for sensitive data +- Use secrets management services (AWS Secrets Manager, HashiCorp Vault, etc.) + +### 4. Code Review +- Require code reviews for all changes +- Use automated security checks in CI/CD +- Review security alerts promptly + +### 5. Regular Audits +- Run security scans regularly (weekly/monthly) +- Review security advisories for dependencies +- Perform periodic manual security reviews + +## Amazon Q Developer Integration + +To enable Amazon Q for enhanced security scanning: + +### Prerequisites +- AWS account with Amazon Q Developer access +- AWS credentials configured + +### Setup Steps + +1. **Install Amazon Q CLI:** + - Amazon Q CLI is currently in preview + - Visit the [AWS documentation](https://aws.amazon.com/q/developer/) for the latest installation instructions + - Configure AWS credentials: + ```bash + aws configure + ``` + +2. **Configure Repository Access:** + - Add AWS credentials to repository secrets (Settings → Secrets and variables → Actions): + - `AWS_ACCESS_KEY_ID` + - `AWS_SECRET_ACCESS_KEY` + - `AWS_REGION` + +3. **Enable Amazon CodeWhisperer:** + - Install CodeWhisperer IDE extension from your IDE marketplace + - Sign in with AWS Builder ID or IAM credentials + - Enable security scanning in CodeWhisperer settings + - Review security findings in the CodeWhisperer panel + +4. **Custom Review Rules:** + - Define project-specific security rules in your repository + - Configure scanning frequency based on your needs + - Set up notification channels (email, Slack, etc.) + +### Amazon Q Workflow Integration + +When Amazon Q CLI becomes generally available, create `.github/workflows/amazonq-security.yml`: + +```yaml +name: Amazon Q Security Review + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + amazonq-review: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + + - name: Run Amazon Q Security Scan + run: | + # Note: This is a placeholder for when Amazon Q CLI becomes generally available + # Check AWS documentation for the latest Amazon Q CLI commands + # Example future commands might include: + # amazon-q scan --repository . --output security-report.json + echo "Amazon Q CLI integration - awaiting general availability" + echo "Visit https://aws.amazon.com/q/developer/ for updates" + + - name: Upload Security Report + uses: actions/upload-artifact@v4 + with: + name: amazonq-security-report + path: security-report.json +``` + +## Monitoring and Response + +### Security Alert Handling + +1. **Critical/High Severity:** + - Review immediately + - Patch within 24-48 hours + - Deploy hotfix if necessary + +2. **Medium Severity:** + - Review within 1 week + - Plan patch for next release + - Document mitigation steps + +3. **Low Severity:** + - Review during regular maintenance + - Update in next minor release + - Add to backlog if not urgent + +### Incident Response + +If a security vulnerability is discovered: + +1. Assess severity and impact +2. Create a private security advisory +3. Develop and test a fix +4. Coordinate disclosure with affected parties +5. Release patch and security advisory +6. Update SECURITY.md with details + +## Resources + +- [GitHub Security Best Practices](https://docs.github.com/en/code-security) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Python Security Best Practices](https://python.readthedocs.io/en/latest/library/security_warnings.html) +- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/) +- [Chrome DevTools Protocol Security](https://chromedevtools.github.io/devtools-protocol/) + +## Contact + +For security concerns, please see [SECURITY.md](SECURITY.md) for reporting procedures.