Every merge to
master runs through multiple automated security gates. Every dependency is scanned on every build. Every surfaced vulnerability has a defined SLA for remediation.Static application security testing (SAST)
| Tool | What it scans | Blocking? |
|---|---|---|
| Brakeman | Rails source for SQL injection, XSS, mass assignment, command injection, unsafe redirects, open redirects | Yes — medium+ severity blocks merge |
| ESLint (security plugins) | JavaScript/TypeScript for unsafe patterns | Yes |
| gitleaks | All commits for hardcoded secrets | Yes |
| Trivy (config mode) | Terraform for infrastructure misconfigurations | Yes — medium+ severity |
Dependency scanning
| Tool | Ecosystem | Blocking? |
|---|---|---|
| bundler-audit | Ruby gems (ruby-advisory-db) | Yes |
| npm audit | Node packages | Yes on high+ |
| Dependabot | Auto-PRs for dependency updates, auto-merged on patch/minor if CI passes | — |
| license_finder | License compliance for both Ruby and Node | Yes |
Secret scanning
- gitleaks runs on every commit.
- GitHub secret scanning enabled organization-wide (catches known secret formats pushed to any branch).
- Any secret found in git history triggers immediate rotation and incident logging.
Infrastructure scanning
- Trivy (config scan mode) runs against every Terraform change.
- GCP Security Command Center aggregates findings from GCP-native scanners (Container Analysis, Web Security Scanner — planned).
Vulnerability disclosure and remediation SLAs
| Severity | Example | SLA to mitigate |
|---|---|---|
| Critical (CVSS ≥ 9.0) | RCE, authentication bypass, public PHI exposure | 24 hours |
| High (CVSS 7.0–8.9) | Privilege escalation, session fixation | 7 days |
| Medium (CVSS 4.0–6.9) | Stored XSS, CSRF in low-risk flow | 30 days |
| Low (CVSS < 4.0) | Information disclosure in non-PHI endpoint | 90 days |
Coordinated disclosure
Security researchers: see the vulnerability submission process on Incident response or email security@denialbase.com.Current gaps — honest status
No DAST (dynamic testing) in CI
No DAST (dynamic testing) in CI
We run SAST on every merge but no automated dynamic scanner exercises the running app. The planned third-party pentest (Q3 2026) will include dynamic testing.
No bug bounty program yet
No bug bounty program yet
We credit researchers and coordinate disclosure, but don’t currently pay bounties. Planned after our first pentest cycle completes.
No runtime application self-protection (RASP)
No runtime application self-protection (RASP)
Relying on Cloud Armor WAF at the edge + application rate limiting. A RASP layer would provide additional depth but isn’t on the near-term roadmap.