The Green Engineering Standard Framework (GESF) treats security as a foundational engineering concern, not an afterthought. This policy applies to the GESF monorepo itself — our development practices, dependency management, vulnerability response, and secure coding standards — as well as the security capabilities GESF provides to downstream projects.

GESF is currently in pre-1.0 active development. Breaking changes may occur between minor versions. Once 1.0 is released, we will maintain a formal LTS support schedule.

Do not report security vulnerabilities through public GitHub issues.

Report security vulnerabilities to:

• Email: security@coremates.dev
• GitHub Security Advisories: github.com/greenarmor/gesf/security/advisories/new

When reporting a vulnerability, please provide:

1. Description — A clear description of the vulnerability
2. Affected component(s) — Which package(s) or file(s) are affected (e.g., @greenarmor/ges-cli, @greenarmor/ges-mcp-server)
3. Impact — What an attacker could achieve (e.g., privilege escalation, data exposure, code execution)
4. Reproduction steps — Step-by-step instructions to reproduce the issue
5. Proof of concept — If available, a minimal proof of concept
6. Environment — Node.js version, OS, package manager version
7. Suggested fix — If you have one

• We follow coordinated disclosure.
• We ask that you give us 90 days to address the vulnerability before public disclosure.
• We will credit researchers in our security advisories unless anonymity is requested.
• We will not pursue legal action against good-faith security research.

This repository is a pnpm monorepo containing 12 published packages under the @greenarmor NPM scope:

• All dependencies are pinned to exact versions in package.json.
• pnpm lockfile (pnpm-lock.yaml) is committed and version-controlled.
• Dependency updates are reviewed manually before merging.

We run the following automated security scans via GitHub Actions:

• Never commit secrets, API keys, private keys, or credentials to this repository.
• Gitleaks runs as a pre-commit safeguard and in CI.
• If a secret is accidentally committed, rotate it immediately and contact security@greenarmor.dev.

• All packages use ESM modules ("type": "module").
• All inputs are validated at package boundaries.
• No use of eval(), new Function(), or dynamic code execution.
• No use of any type without explicit justification.
• All external process execution is sandboxed and validated.

• Approved: AES-256-GCM, ChaCha20-Poly1305, TLS 1.3, TLS 1.2 minimum.
• Prohibited: MD5, SHA-1 (for security purposes), DES, RC4, any ECB mode.

• Password hashing: Argon2id (mandatory).
• Prohibited: MD5, SHA-1, bcrypt for new implementations, plain text passwords.

Must log:

• Authentication events (success and failure)
• Authorization decisions (denials)
• Data export operations
• Role/permission changes
• Administrative actions

Must never log:

• Passwords or password hashes
• API keys, tokens, or secrets
• Private keys or certificates
• Sensitive personal data (PII)

The MCP server (@greenarmor/ges-mcp-server) communicates via JSON-RPC over stdio:

• No network listener — stdio-only transport.
• No file system write access — read-only compliance evaluation.
• No outbound network requests.
• Input validation on all JSON-RPC messages.
• Proper error codes for malformed requests.

Given the nature of this framework, we are particularly interested in:

GESF enforces the following security requirements on projects that use it:

1. Encryption at rest — Required for all Restricted and Confidential data.
2. Encryption in transit — TLS 1.2 minimum, TLS 1.3 recommended.
3. Multi-factor authentication — Required for all administrative access.
4. Audit logging — Required for all authentication, authorization, and data operations.
5. Data retention — Mandatory retention policy with automated enforcement.
6. Vulnerability scanning — Required in CI/CD pipelines.
7. Secret scanning — Required in CI/CD pipelines.
8. Access control — RBAC with least-privilege, deny-by-default.

All pull requests must pass:

1. Secret scan — Gitleaks detects leaked credentials.
2. Dependency scan — Trivy identifies vulnerable dependencies.
3. Security scan — npm audit and OWASP Dependency Check.
4. Compliance scan — GESF's own compliance validation.
5. Build verification — All 12 packages must build cleanly.

Changes to the following components require manual security review:

• packages/mcp-server/ — Input validation, protocol handling.
• packages/audit-engine/src/scanners/ — Scanner logic correctness.
• packages/compliance-engine/ — GDPR control evaluation accuracy.
• packages/core/src/schemas/ — Schema validation completeness.
• packages/cicd-generator/ — Generated workflow security.
• packages/report-generator/ — Template injection prevention.

1. Detection — Automated via CI scanners or manual report.
2. Triage — Maintainer assesses severity and assigns CVE if applicable.
3. Fix — Patch developed in a private fork or branch.
4. Advisory — GitHub Security Advisory published with CVE.
5. Release — Patch version released with advisory reference.
6. Disclosure — Full disclosure after patch is available.

Contributors should have the following tools configured:

# Install gitleaks (pre-commit secret detection)
brew install gitleaks

# Run pre-commit hooks
gitleaks protect --staged

• Node.js >= 22.0.0
• pnpm >= 11.0.0
• TypeScript ^6.0.0
• All dev dependencies installed via pnpm install

# Build all packages
pnpm -r run build

# Run linting
pnpm run lint

# Run tests
pnpm run test

We gratefully acknowledge security researchers who have responsibly disclosed vulnerabilities. Names will be listed here with permission.

GESF is monitored by Socket.dev for supply chain threats. This section documents the review of packages that triggered Socket.dev alerts and were determined to be acceptable or false positives.

Last reviewed: 2026-06-20 Reviewer: greenarmor

GESF generates a CycloneDX SBOM on demand:

./scripts/generate-sbom.sh
# Output: sbom/sbom.json (CycloneDX 1.6, ~335 components)

The SBOM covers the full dependency tree of @greenarmor/ges (the published CLI package), including all optional dependencies.

All published @greenarmor/* packages:

1. Include provenance — npm publish with --provenance flag (GitHub Actions OIDC)
2. Lockfile — pnpm-lock.yaml is committed and validated on every install
3. Integrity hashes — pnpm verifies SHA-512 integrity hashes for all packages

GESF's @inquirer/* packages are declared as optionalDependencies in packages/cli/package.json. This means:

• Socket.dev consumers can exclude them entirely by running npm install --omit=optional
• The GESF CLI automatically falls back to readline-based numbered menus if @inquirer/* is not installed
• Zero hard dependency — the CLI is fully functional without any Inquirer packages

// packages/cli/package.json
{
  "optionalDependencies": {
    "@inquirer/checkbox": "^5.2.1",
    "@inquirer/confirm": "^6.1.1",
    "@inquirer/input": "^5.1.2",
    "@inquirer/select": "^5.2.1"
  }
}

This security policy is maintained alongside the codebase. Significant policy changes require maintainer approval and will be communicated via:

• GitHub release notes
• Security advisory (if applicable)
• README update

• Security issues: security@coremates.dev
• General questions: GitHub Discussions or Issues
• Maintainer: @greenarmor

This security policy is part of the Green Engineering Standard Framework and is released under the MIT License.