Allure Report - security checks and protection measures

[abulat]

Hope you're doing well!
We're starting to use Allure Report in our organization, and our security team has a quick question:

What measures do you have in place to prevent any malicious packages from being downloaded via Allure?

To help us feel confident about using Allure, can you share some details on:

• Security Checks: Do you use any specific tools or procedures to scan for security issues in the packages?
• Protection Measures: What steps do you take to make sure no harmful packages get through? For example, code reviews or automated scans?

Getting some insights on these points would really help us trust that Allure is safe to use.

Thanks a lot for your help!

[baev]

Allure Report is an open-source project supported by a vast global community. We recognize the importance of establishing robust security policies and diligently addressing all potential security risks and issues.

Initially, all repositories in our organization had designated maintainers. These maintainers are senior-level developers with experience in open-source project management. Our full-time employees maintain the core components. Each contribution is visible, open to public discussion, and requires a review from another maintainer.

We follow to best coding practices, including:

1. Automatic dependency updates (powered by Dependabot or Renovate)
2. Security scans by GitHub
3. Automatic testing for each commit, with a requirement for all tests to pass before accepting contributions
4. Strict static analysis tools configured per repository, such as ESLint for JS/TS, and PMD, Checkstyle, and SpotBugs for Java
5. CI builds disabled for new contributors until a maintainer reviews and accepts the proposed changes
6. A core team available for contact (publicly or privately via dedicated email) regarding any security concerns, with prompt responses to such requests

Allure can function securely in private networks without requiring an internet connection.

As all code is open source, you are free to perform any penetration testing or security audit. We are more than happy to assist in addressing any discovered vulnerabilities.