docs
/
Open IssueContributingStar
docs
/
Home
Requirements
Install
npm
Helm
Usage
--link
iPad
Termux
Collaboration
Upgrade
FAQ
Contributing
Code of conduct
Maintenance
Triage
Security
Home
/
Contributing

Security

2 min read

Learn about the tools used to detect vulnerabilities in code-server, and how you can report vulnerabilities.

Security Policy

Coder and the code-server team want to keep the code-server project secure and safe for end-users.

Tools

We use the following tools to help us stay on top of vulnerability mitigation.

  • dependabot
    • Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
  • code-scanning
    • CodeQL
      • Semantic code analysis engine that runs on a regular schedule (see codeql-analysis.yml)
    • trivy
      • Comprehensive vulnerability scanner that runs on PRs into the default branch and scans both our container image and repository code (see trivy-scan-repo and trivy-scan-image jobs in ci.yaml)
  • audit-ci
    • Audits npm and Yarn dependencies in CI (see Audit for vulnerabilities step in ci.yaml) on PRs into the default branch and fails CI if moderate or higher vulnerabilities (see the audit.sh script) are present.

Supported Versions

Coder sponsors the development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.

VersionSupported
Latest:white_check_mark:

Reporting a Vulnerability

To report a vulnerability, please send an email to security[@]coder.com, and our security team will respond to you.

See an opportunity to improve our docs? Make an edit.

Go to coder.comGitHub