Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.
To ensure our codebase remains secure, we leverage GitHub Actions for continuous security scanning (on pre-commit, PR and periodically) with the following tools:
- CodeQL: static analysis tool to check Python code and GitHub Actions workflows
- Semgrep: static analysis tool to check Python code; ML-specific Semgrep rules developed by Trail of Bits are used
- Bandit: Static analysis tool to check Python code
- Zizmor: Static analysis tool to check GitHub Actions workflows
- Trivy: Check misconfigurations and detect security issues in dependencies
- Dependabot: to detect security issues in dependencies
| Tool | Pre-commit | PR-checks | Periodic |
|---|---|---|---|
| CodeQL | โ | โ | |
| Semgrep | โ | โ | |
| Bandit | โ | โ | โ |
| Zizmor | โ | โ | โ |
| Trivy | โ | ||
| Dependabot | โ |
NOTE: Semgrep does not support Windows, therefore it is not currently used in pre-commit.
Please report any security vulnerabilities in this project utilizing Intel's vulnerability handling guidelines.
Users interested in keeping up-to-date with security announcements and updates can:
- Follow the GitHub repository ๐
- Check the Releases section of our GitHub project ๐ฆ
We encourage users to report security issues and contribute to the security of our project ๐ก๏ธ. Contributions can be made in the form of code reviews, pull requests, and constructive feedback. Refer to our CONTRIBUTING.md for more details.
NOTE: This security policy is subject to change ๐. Users are encouraged to check this document periodically for updates.