Cylestio Gateway is designed with security as a fundamental principle. This document outlines our security practices, vulnerability reporting process, and security guarantees for enterprise customers.

Our security pipeline runs comprehensive scans on every commit and pull request:

• 🔍 Dependency Vulnerability Scanning: Using pip-audit and safety to detect known vulnerabilities in dependencies
• 🔐 Secret Detection: Using detect-secrets and gitleaks to prevent credential leakage
• 🔎 Static Application Security Testing (SAST): Using Semgrep and Bandit for code security analysis
• 🐳 Container Security: Using Trivy to scan Docker images for vulnerabilities
• 📄 License Compliance: Automated license scanning to ensure compliance with enterprise policies

Developers are protected by pre-commit hooks that run locally:

• Secret detection before code is committed
• Security linting with Bandit
• Code quality checks with Ruff and Black
• Type safety with MyPy

Our security pipeline implements strict quality gates:

• Zero Critical Vulnerabilities: No critical security issues are allowed in production
• Limited High Severity Issues: Maximum of 5 high severity issues allowed
• Continuous Monitoring: Daily security scans via scheduled workflows

# ✅ RECOMMENDED: Use environment variables
import os
from src.main import create_app

# Load API keys from environment
config = {
    "llm": {
        "api_key": os.environ.get("OPENAI_API_KEY"),  # Never hardcode
        "base_url": "https://api.openai.com"
    }
}

# ❌ NEVER DO THIS: Hardcoded secrets
config = {
    "llm": {
        "api_key": "sk-1234567890abcdef",  # Security violation! # pragma: allowlist secret
        "base_url": "https://api.openai.com"
    }
}

# ✅ RECOMMENDED: Environment variable substitution
llm:
  api_key: "${OPENAI_API_KEY}"
  base_url: "https://api.openai.com"

# ❌ AVOID: Hardcoded credentials in config files
llm:
  api_key: "sk-1234567890abcdef"  # Never commit secrets! # pragma: allowlist secret

• TLS/HTTPS: All external communications use HTTPS
• API Key Injection: API keys are injected into headers, never exposed in URLs
• Header Filtering: Sensitive headers are filtered from logs and traces

• Request/Response Filtering: Sensitive data can be excluded from traces
• Session Isolation: Each session is isolated with unique identifiers
• Memory Management: Sensitive data is not cached indefinitely

We implement security best practices including:

• Secure development lifecycle with automated security testing
• Vulnerability management with continuous scanning and monitoring
• Supply chain security with dependency tracking and SBOM generation
• Credential protection with secret detection and secure handling practices

• Pre-Deployment Scanning: Every release is scanned for known vulnerabilities before distribution
• Dependency Security: All third-party dependencies are continuously monitored for security issues
• Source Code Analysis: Static analysis tools prevent common security vulnerabilities in our code
• Supply Chain Security: Complete Software Bill of Materials (SBOM) tracks all components for transparency

If you discover a security vulnerability, please follow our responsible disclosure process:

1. Email: Send details to security@cylestio.com
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Suggested remediation (if any)
3. Response Time: We commit to responding within 48 hours
4. Resolution: Critical issues resolved within 7 days, others within 30 days

Please report any of the following:

• Authentication bypasses
• Data exposure vulnerabilities
• Injection attacks (SQL, Command, etc.)
• Cross-site scripting (XSS)
• Server-side request forgery (SSRF)
• Denial of service vulnerabilities
• Information disclosure
• Privilege escalation

The following are generally not considered vulnerabilities:

• Version disclosure
• Missing security headers (unless exploitable)
• Theoretical attacks without proof of concept
• Social engineering attacks
• Physical attacks

• Critical: Emergency patches released immediately
• High: Patches released within 7 days
• Medium: Patches released in next minor version
• Low: Patches released in next major version

Security updates are communicated via:

• GitHub Security Advisories
• Release notes
• Email notifications (for enterprise customers)

Our automated security pipeline provides:

• Vulnerability Scan Results: Available in GitHub Actions artifacts after each run
• Security Report Generation: Automated reports for dependency, secret, and code analysis
• Quality Gate Status: Pass/fail status for security thresholds
• SBOM Generation: Weekly software bill of materials for transparency

• GitHub Actions: Automated security workflows
• Pre-commit Hooks: Local security validation
• Security Reports: Detailed vulnerability assessments

• pip-audit: Python dependency vulnerability scanner
• Semgrep: Static analysis security testing
• Bandit: Python security linter
• detect-secrets: Git secrets prevention
• Trivy: Container vulnerability scanner

• Security Team: security@cylestio.com
• General Support: support@cylestio.com
• Documentation: https://github.com/cylestio/cylestio-perimeter

This project is licensed under the Apache License 2.0. This security policy is subject to our Terms of Service and Privacy Policy. For enterprise customers, specific security requirements may be covered under separate agreements.

License: Apache License 2.0 - See LICENSE file for details.