Welcome to the BB Toolkit repository. Your security is important to us, and we take secure development practices seriously. This document outlines the security practices, disclosure guidelines, and repository protections we follow.
We enforce the following branch protection rules on the main branch:
- β Require a pull request before merging
- β Require linear history (no merge commits)
- β Require review from Code Owners
- β Require branches to be up to date before merging
- β Require status checks to pass
- β Block force pushes
- β Restrict deletions
- π Recommended: Require signed commits (optional for solo devs)
We support integration with CodeQL or other static analysis tools. You can:
- Enable GitHub Advanced Security on the repo
- Add a
codeql.ymlworkflow to scan for vulnerabilities - Enforce:
Require code scanning results before merging
If you discover a security vulnerability within this repo:
- Please do not open an issue.
- Or open a confidential discussion (if enabled).
We recommend using:
- GPG or SSH commit signing
- Pre-commit hooks to lint or scan files
- Keeping dependencies updated with tools like
pip-review,brew upgrade, ornuclei -update-templates
Security is a shared responsibility. Please:
- Keep your GitHub account secure
- Enable 2FA on your GitHub account
- Donβt push secrets or tokens β use
.envand.gitignore
We may later integrate workflows for:
- Linting
- Unit testing
- Static Analysis (SAST)
Thank you for helping us keep BB Toolkit secure!
If you have suggestions to improve our security posture, feel free to open a PR or drop a message π