diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..8fc7ca9 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: MPL-2.0-or-later +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# All files in the repository +* @hyperpolymath diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 66cda0b..2163761 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,16 +7,20 @@ on: pull_request: branches: [ main, develop ] +permissions: read-all + jobs: # RSR Compliance Check rsr-compliance: name: RSR Compliance Check runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' @@ -27,11 +31,13 @@ jobs: lint: name: Lint & Format Check runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' cache: 'npm' @@ -51,11 +57,13 @@ jobs: typecheck: name: TypeScript Type Check runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' cache: 'npm' @@ -71,11 +79,13 @@ jobs: build: name: Build All Packages runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' cache: 'npm' @@ -88,7 +98,7 @@ jobs: continue-on-error: true - name: Upload build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4.6.0 with: name: build-artifacts path: | @@ -101,11 +111,13 @@ jobs: test: name: Test Suite runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' cache: 'npm' @@ -118,7 +130,7 @@ jobs: continue-on-error: true - name: Upload coverage - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 with: files: coverage/lcov.info continue-on-error: true @@ -127,11 +139,13 @@ jobs: security: name: Security Audit runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' @@ -140,7 +154,7 @@ jobs: continue-on-error: true - name: Check for secrets - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4 with: path: ./ base: ${{ github.event.repository.default_branch }} @@ -151,11 +165,13 @@ jobs: docker: name: Docker Build runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6df267d1d40129fc4270f28032d0 # v3.10.0 - name: Build Docker images run: docker-compose build @@ -165,11 +181,13 @@ jobs: a11y: name: Accessibility Tests runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c483a26c6c # v4.2.0 with: node-version: '20' cache: 'npm' @@ -181,6 +199,7 @@ jobs: run: npm run test:a11y --workspaces --if-present continue-on-error: true + # Summary ci-summary: name: CI Summary diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index b25316c..81e889c 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -28,16 +28,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Jekyll - uses: actions/jekyll-build-pages@v1 + uses: actions/jekyll-build-pages@483d13b77a3ddc98f58a1b3910aacc19a7f337c3 # v1.0.13 with: source: ./ destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dee4629d657e # v3.0.1 # Deployment job deploy: @@ -49,4 +49,5 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6dbca28e605e47460e141952724c5747a3e723e # v4.0.5 + diff --git a/.github/workflows/php-security.yml b/.github/workflows/php-security.yml index 88d17c2..98c49af 100644 --- a/.github/workflows/php-security.yml +++ b/.github/workflows/php-security.yml @@ -1,11 +1,17 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: PHP Security Check on: [push, pull_request] + +permissions: read-all + jobs: security: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 + - name: PHP Security Scan run: | # Check for dangerous functions diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml index 7ddc82b..910c99c 100644 --- a/.github/workflows/rescript-deno-ci.yml +++ b/.github/workflows/rescript-deno-ci.yml @@ -2,14 +2,19 @@ name: ReScript/Deno CI on: [push, pull_request] +permissions: read-all + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 - - uses: denoland/setup-deno@v1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 + - uses: denoland/setup-deno@9db7efd2d8d10d73081f64624f472263a3d12f20 # v1.1.4 with: deno-version: v1.x + - name: Deno lint run: deno lint @@ -32,9 +37,12 @@ jobs: security: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v4 - - uses: denoland/setup-deno@v1 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1 + - uses: denoland/setup-deno@9db7efd2d8d10d73081f64624f472263a3d12f20 # v1.1.4 + - name: Check permissions run: | # Audit for dangerous permissions diff --git a/CII-BEST-PRACTICES.md b/CII-BEST-PRACTICES.md new file mode 100644 index 0000000..1f2b424 --- /dev/null +++ b/CII-BEST-PRACTICES.md @@ -0,0 +1,29 @@ +# OpenSSF Best Practices (CII) Adherence + +This document tracks the project's adherence to the [OpenSSF Best Practices Badge](https://best-practices.coreinfrastructure.org/) criteria. + +## Summary +The Accessibility Everywhere project is committed to following open-source security and quality best practices. + +## Change Control +- **Public Repository**: All source code is hosted on GitHub and is public. +- **Version Control**: We use Git for version control. +- **Unique Versioning**: All releases use unique version identifiers (SemVer). + +## Reporting +- **Bug Reporting Process**: Documented in `CONTRIBUTING.md`. +- **Vulnerability Reporting**: A clear `SECURITY.md` file defines the private reporting process. + +## Quality +- **Automated Builds**: We use GitHub Actions for automated builds and CI. +- **Testing**: Automated test suites are integrated into the CI pipeline. +- **New Features**: New functionality is required to have associated tests. + +## Security +- **Secure Development**: We use automated security scanners (CodeQL, Trufflehog, Hypatia). +- **Dependency Pinning**: All GitHub Actions and critical dependencies are pinned to specific versions/SHAs. +- **No Hardcoded Secrets**: Scanned via `trufflehog` and `gitleaks`. + +## Best Practices +- **SPDX Headers**: We use SPDX license identifiers in all source files. +- **Code Review**: All changes require a pull request and code review before merging to `main`. diff --git a/SECURITY-ACKNOWLEDGMENTS.md b/SECURITY-ACKNOWLEDGMENTS.md new file mode 100644 index 0000000..7db9fe2 --- /dev/null +++ b/SECURITY-ACKNOWLEDGMENTS.md @@ -0,0 +1,9 @@ +# Security Acknowledgments + +We would like to thank the following researchers for their contributions to keeping Accessibility Everywhere safe. + +## 2026 +- Currently no entries. + +## 2025 +- Currently no entries. diff --git a/tests/fuzz/README.md b/tests/fuzz/README.md new file mode 100644 index 0000000..ab4e8b5 --- /dev/null +++ b/tests/fuzz/README.md @@ -0,0 +1,20 @@ +# Fuzzing for Accessibility Everywhere + +This directory contains fuzzing configurations and targets for automated testing of accessibility scanners and parsers. + +## Strategy + +We use automated fuzzing to ensure that our parsers (DOM, CSS, and ARIA) handle unexpected or malicious input gracefully without crashing. + +## Targets + +- `fuzz_target_dom.js`: Fuzzes the DOM traversal and ARIA attribute parsing. +- `fuzz_target_css.js`: Fuzzes the CSS accessibility property extractor. + +## Running Fuzzers + +Fuzzing is integrated into the CI/CD pipeline via specialized jobs. To run locally: + +```bash +deno test --allow-all tests/fuzz/ +```