# Security Policy

If you have discovered a security vulnerability, please refer to [our website](https://quad4.io/security) for the latest security reporting procedures and guidelines.

## Vulnerability Management

- We use PNPM and [OSV](https://osv.dev/) to scan for package vulnerabilities in our dependencies.

## SAST

- Gosec for Go code.
- ESLint with eslint-plugin-security for JavaScript code.

## Dependency and Supply Chain

- All GitHub Actions used are forked and hosted on our Gitea instance, view them here https://git.quad4.io/actions.
- Actions are referenced using full URLs and cryptographically pinned to specific commit hashes for enhanced supply chain security.