Scanning Code and Dependencies for Potential Security Issues
As CKAN software is located on GitHub repositories, there are some inbuilt Security features that the project benefits from:
Dependabot Alerts - alerts are generated from scanning CKAN dependencies. These alerts have been configured to automatically create pull requests that are reviewed and handled by a member of the CKAN Tech Team.
Code Scanning Alerts - alerts generated from a code analysis tool, CodeQL, to discover potential security vulnerabilities of CKAN software. CodeQL is maintained by GitHub. The tool supports the efforts of the Tech Team as they work on current and supported versions of CKAN.
Enhancing Application Security Controls
Via its plugin architecture, the CKAN software can make use of community extensions that enhance the security posture of the application. For instance, the ckanext-security extension holds various security improvements for CKAN
Management of Security Issues
Like most open source software projects we encourage white hat reporting of discovered vulnerabilities via a dedicated private inbox, firstname.lastname@example.org. Verified security issues are added to a private issue tracker on GitHub, out of the public domain. We create transparency between the Tech Team and the original submitter by inviting them into the tracked issue, where they can monitor and comment on progress.
Patch releases for the current stable minor release, along with the two preceding minor releases are packaged and publicised on an as-needed basis by the Tech Team.
Twice Weekly Developer Calls
The CKAN Tech Team meets twice a week to review pull requests and reported issues. These developer oriented meetings are held with an open door policy and details for joining are published in the public domain. While the details of security issues are not covered in these calls, the status of pending patch releases and the tasks needed to progress such issues in a timely manner are. The CKAN security matters benefit from the positive social pressure generated from group accountability dynamics and the project is always open to contributions from any concerned users.