This document outlines the security measures implemented in Repo-Ring and provides a checklist based on industry standards (OWASP, Chrome Extension Security Best Practices).
- AES-256 Encryption: GitHub tokens encrypted before local storage
- Local Storage Only: All data stored locally in Chrome, never transmitted to external servers
- No Cloud Storage: Extension does not use any cloud storage or remote databases
- Secure Token Handling: Tokens never logged to console or error reports
- Minimal Permissions: Only accepts tokens with
notificationsandread:userscopes - Scope Validation: Rejects tokens with excessive permissions
- Token Type Validation: Only Classic tokens (
ghp_*) accepted, fine-grained tokens rejected - Expiration Handling: Graceful handling of expired or invalid tokens
- HTTPS Only: All API calls use HTTPS (api.github.com)
- Direct GitHub API: No intermediary servers or proxies
- No Third-Party Services: Extension communicates only with official GitHub API
- No Analytics/Tracking: Zero tracking, analytics, or telemetry services
- Rate Limiting: Manual refresh cooldown (60s) to prevent API abuse
- Retry Logic: Exponential backoff (1s β 2s β 4s) for failed requests
- Error Handling: Network errors fallback to cached data without exposing sensitive info
- Cache Control: Proper cache-busting headers to prevent stale data
- Minimal Permissions: Only requests essential permissions (storage, activeTab, alarms)
- No Broad Host Permissions: Only api.github.com access
- No Content Scripts: Extension doesn't inject code into web pages
- Manifest V3: Uses latest Chrome extension manifest version
- Documented Permissions: All permissions explained in README
- No eval(): Code does not use
eval()or dynamic code execution - No inline Scripts: All scripts referenced externally (CSP compliant)
- TypeScript: Type-safe code to prevent runtime errors
- Input Validation: All user inputs validated before processing
- XSS Prevention: Proper output encoding, no innerHTML with user data
- Zero Data Collection: Extension does NOT collect personal data
- No User Tracking: No behavior tracking or usage analytics
- No Ads: Completely ad-free
- No External Requests: Only GitHub API communication
- Data Transparency: Privacy policy clearly states what data is stored
- User Control: Users can remove tokens anytime
- Data Deletion: Uninstalling removes all stored data
- Open Source: All code publicly available for audit
- Manual Security Review: Code reviewed for common vulnerabilities
- Automated Dependency Scanning: Run
npm audit(recommended) - Snyk Scan: Optional additional vulnerability scanning
- Token Handling Tests: Validated token encryption/decryption
- TypeScript: Static type checking
- Error Logging: Use
console.warnfor handled errors, notconsole.error - Build Process: Webpack production build with minification
- Linting: ESLint/TSLint recommended (optional)
| OWASP Risk | Status | Implementation |
|---|---|---|
| A01: Broken Access Control | β Pass | Token scope validation, minimal permissions |
| A02: Cryptographic Failures | β Pass | AES-256 encryption for token storage |
| A03: Injection | β Pass | No dynamic code execution, proper input validation |
| A04: Insecure Design | β Pass | Security-first architecture, minimal attack surface |
| A05: Security Misconfiguration | β Pass | Secure defaults, documented permissions |
| A06: Vulnerable Components | β Pass | npm audit: 0 vulnerabilities found |
| A07: Authentication Failures | β Pass | GitHub OAuth token validation |
| A08: Data Integrity Failures | β Pass | HTTPS only, no untrusted sources |
| A09: Logging Failures | β Pass | No sensitive data in logs |
| A10: Server-Side Request Forgery | N/A | No server-side component |
Security audits run automatically on:
- Every push to master branch (ensures master stays secure)
- Every pull request (prevents vulnerable code from merging)
- Every release (generates updated security report)
- Weekly schedule (Mondays at 9am UTC for proactive monitoring)
- Manual trigger available (for on-demand audits)
Smart Skipping: Audits are skipped when only documentation files (.md), LICENSE, .gitignore, or screenshots are changed, saving CI/CD resources.
View audit results in the Actions tab.
Run security audits locally using npm scripts:
# Full security audit
npm run audit:security
# Production dependencies only
npm run audit:prod
# Security audit + TypeScript check
npm run security:check
# Check for known vulnerabilities in dependencies
npm audit
# Fix vulnerabilities automatically (if available)
npm audit fix
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Run security scan
snyk test
# Monitor project (optional)
snyk monitor
- Install Extension Auditor from Chrome Web Store
- Run audit on your installed Repo-Ring extension
- Review dangerous permissions report
- Review all code changes for security implications
- Check for sensitive data exposure in logs
- Validate all user inputs
- Ensure HTTPS for all external requests
If you discover a security vulnerability in Repo-Ring, please report it responsibly:
- Do NOT open a public GitHub issue
- Email: mdasifjoardar@gmail.com
- Subject:
[SECURITY] Repo-Ring Vulnerability Report - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work on a fix promptly.
MANDATORY: Run the comprehensive OWASP security audit before creating a release.
-
Go to GitHub Actions
- Navigate to:
ActionsβPre-Release OWASP Audit
- Navigate to:
-
Click "Run workflow"
- Enter the version number (e.g.,
1.0.1) - Click "Run workflow" button
- Enter the version number (e.g.,
-
Wait for Results (takes ~2-3 minutes)
- β PASSED: Safe to create release
- β FAILED: DO NOT create release - fix issues first
Automated OWASP Top 10 Compliance:
- β A01: Access Control (token scope validation)
- β A02: Cryptographic Failures (dependency vulnerabilities)
- β A03: Injection (eval, innerHTML, dynamic code)
- β A04: Insecure Design (architecture review - manual)
- β A05: Security Misconfiguration (manifest permissions)
- β A06: Vulnerable Components (npm audit)
- β A07: Authentication Failures (token validation)
- β A08: Data Integrity (HTTPS-only checks)
- β A09: Logging Failures (secret logging detection)
- β A10: SSRF (N/A - no server-side)
Additional Checks:
- TypeScript compilation
- Build success
- Manifest permission analysis
- Report Generated:
OWASP_RELEASE_AUDIT.md - Downloadable: From Actions artifacts
- Auto-Issue: Created if audit fails
1. Development complete β
2. Run Pre-Release OWASP Audit π
3. Review audit report π
4. Fix any issues (if failed) π§
5. Re-run audit until passed β
6. Create release tag π·οΈ
7. Auto-update SECURITY_AUDIT_REPORT.md π
Repo-Ring is committed to:
- Transparency: All code is open source
- Privacy: Zero data collection or tracking
- Security: Following industry best practices
- Responsibility: Prompt response to security reports
- Compliance: Adhering to Chrome Web Store policies
Last Updated: January 2025 Version: 1.0.0