Security Policy

May 8, 2026 · View on GitHub

Scope

This security policy applies to the nullvariant-vscode-extensions monorepo, which contains:

  • Git ID Switcher (extensions/git-id-switcher/) - VS Code extension for switching Git identities

Supported Versions

VersionSupported
1.x.x:white_check_mark:
< 1.0:x:

Reporting a Vulnerability

If you discover a security vulnerability, please report it by:

  1. GitHub Security Advisory (preferred)

    • Go to Security tab → "Report a vulnerability"
    • We will respond within 48 hours
  2. Email

    • security@nullvariant.com
    • Use PGP encryption if possible (key available on request)

Please do NOT open a public issue for security vulnerabilities.

Reporting Typosquatting

If you find a VS Code extension with a similar name to Git ID Switcher from a different publisher, it may be a typosquat attempt. Please report it:

  1. Report to us via GitHub Security Advisory or email security@nullvariant.com
  2. Report to the marketplace:
    • VS Code Marketplace: Use the "Report" button on the extension page, or email vscext@microsoft.com
    • Open VSX: File an issue at open-vsx/publish-extensions

How to Verify Authenticity

CheckExpected Value
Publishernullvariant
Extension IDnullvariant.git-id-switcher
Repository URLhttps://github.com/nullvariant/nullvariant-vscode-extensions
VSIX signatureVerifiable via cosign verify-blob (see README)
Build provenanceVerifiable via gh attestation verify (SLSA Level 3)

Security Measures

This repository contains VS Code extensions with the following security measures:

Git ID Switcher

  • Content Security Policy (CSP): Webview content is restricted to prevent XSS attacks
  • Content Integrity: CDN content is verified using SHA-256 hash allowlist before rendering
  • No eval(): Script execution is disabled in webviews (enableScripts: false where possible)
  • Minimal Permissions: Only requests necessary VS Code API permissions
  • Command Injection Prevention: Git commands use execFile with explicit argument arrays, never string interpolation

CI/CD Security

  • Dependency Pinning: GitHub Actions are pinned to commit SHAs
  • Automated Security Scanning: CodeQL analysis runs on every push
  • Static Code Analysis: SonarCloud runs on every push and PR (CI-based analysis)
  • Daily Vulnerability Scans: npm audit runs daily via scheduled workflow
  • Fork Protection: Sensitive workflows skip on fork repositories
  • SAST (Snyk Code): Snyk runs static analysis; test fixtures are excluded via .snyk policy
  • License & Vulnerability Scanning: FOSSA runs license compliance, dependency quality, and security analysis on every commit (GitHub App integration)
  • Secret Detection: Gitleaks scans for hardcoded secrets in both CI (security.yml) and pre-commit hooks (.pre-commit-config.yaml)
  • Runtime Security Monitoring: StepSecurity Harden-Runner monitors all workflow runs for suspicious network egress, file access, and process execution
  • Branch Protection: Main branch requires PR approval (1 reviewer minimum). All PRs are automatically approved by nullvariant-justice[bot] after CI passes (solo-developer workflow for OpenSSF Scorecard compliance). Dependency bot PRs receive additional safety review before approval. Enforced by Allstar

Security Testing

Security-focused tests are included in the test suite:

npm run test:security

This includes tests for:

  • Command injection vectors
  • XSS prevention in webviews
  • CSP policy enforcement

Secrets Management

This section documents all secrets used in CI/CD workflows.

Repository Secrets

NamePurposeUsed InRotationSensitivity
RELEASE_PATTag push to trigger publish workflowauto-tag.yml90 daysHigh
VSCE_PATVS Code Marketplace publishingpublish.yml, unpublish.ymlAnnualHigh
OVSX_PATOpen VSX publishingpublish.yml, unpublish.ymlAnnualHigh
SONAR_TOKENSonarCloud code analysissonarcloud.ymlAs neededMedium
FOSSA_API_KEYFOSSA license/vulnerability scanning(API access only)As neededMedium
CLOUDFLARE_API_TOKENCloudflare Pages/R2 deploymentdeploy-docs.yml, publish.ymlAnnualHigh
CLOUDFLARE_ACCOUNT_IDCloudflare account identifier (public)deploy-docs.yml, publish.ymlNeverLow (public ID)
SLACK_WEBHOOKBot monitoring alertsbot-monitoring.ymlAs neededMedium

GitHub App Secrets (6 bots × 2 secrets each)

BotSecretsUsed In
JusticeJUSTICE_BOT_APP_ID, JUSTICE_BOT_PRIVATE_KEYjustice-bot.yml
LunaLUNA_BOT_APP_ID, LUNA_BOT_PRIVATE_KEYluna-bot.yml
SlowSLOW_BOT_APP_ID, SLOW_BOT_PRIVATE_KEYslow-bot.yml
BlazeBLAZE_BOT_APP_ID, BLAZE_BOT_PRIVATE_KEYblaze-bot.yml
CielCIEL_BOT_APP_ID, CIEL_BOT_PRIVATE_KEYciel-bot.yml
MimiMIMI_BOT_APP_ID, MIMI_BOT_PRIVATE_KEYmimi-bot.yml

Security Notes for GitHub Apps:

  • Private Keys do not expire, but annual rotation is recommended
  • APP_IDs are public identifiers (low sensitivity)
  • Private Keys are high sensitivity - treat as passwords
  • Each bot has minimal permissions scoped to its specific function

Environment Protection

Marketplace publishing secrets (VSCE_PAT, OVSX_PAT) are protected by the production environment, which requires:

  • Tag push matching git-id-switcher-v* pattern
  • Repository owner approval (optional)

Note: CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID remain as repository secrets (not environment secrets) because they are also used by deploy-docs.yml, which triggers on main branch push.

Rotation Procedure

  1. Generate new token from the provider (Azure DevOps, Open VSX, Cloudflare)
  2. Update GitHub secret in repository settings
  3. Verify workflow execution by triggering a test run
  4. Revoke old token from the provider
SecretProviderManagement URLExpiration
RELEASE_PATGitHubGitHub Fine-grained PAT2026-07-15
VSCE_PATAzure DevOpsAzure DevOps Tokens2027-01-08
OVSX_PATOpen VSXOpen VSX TokensNo expiration
CLOUDFLARE_API_TOKENCloudflareCloudflare API TokensNo expiration
SONAR_TOKENSonarCloudSonarCloud SecurityNo expiration
FOSSA_API_KEYFOSSAFOSSA SettingsNo expiration
GitHub App KeysGitHubGitHub AppsNo expiration
SLACK_WEBHOOKSlackSlack AppsNo expiration

Token Details:

  • CLOUDFLARE_API_TOKEN: Named nullvariant-vscode-extensions-github-actions-deploy, permissions: Workers R2 Storage:Edit
  • RELEASE_PAT: Named RELEASE_PAT. Fine-grained PAT scoped to this repository only. Repository permissions: Contents (Write). Used by auto-tag.yml to push release tags that trigger the publish workflow (built-in GITHUB_TOKEN pushes do not re-trigger workflows, so a PAT is required)

See Also