Jonathan Miller
b3f159078a
Universal: Changelog Validation / Validate CHANGELOG.md (pull_request) Failing after 2s
Universal: CodeQL Analysis / Analyze (actions) (pull_request) Failing after 1m15s
Universal: CodeQL Analysis / Analyze (javascript) (pull_request) Failing after 1m15s
MCP: Copilot Agent / Run Copilot Coding Agent (pull_request) Failing after 2s
Universal: Secret Scanning / Gitleaks Secret Scan (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
MCP: Build & Validate / build (20) (pull_request) Failing after 5s
Universal: PR Check / Validate PR (pull_request) Failing after 2s
MCP: Standards Compliance / Secret Scanning (pull_request) Successful in 2s
MCP: Standards Compliance / License Header Validation (pull_request) Failing after 3s
MCP: Standards Compliance / Repository Structure Validation (pull_request) Failing after 2s
MCP: Standards Compliance / Coding Standards Check (pull_request) Failing after 3s
MCP: Standards Compliance / Workflow Configuration Check (pull_request) Failing after 3s
MCP: Standards Compliance / Documentation Quality Check (pull_request) Successful in 3s
MCP: Standards Compliance / README Completeness Check (pull_request) Failing after 2s
MCP: Standards Compliance / Git Repository Hygiene (pull_request) Successful in 2s
MCP: Standards Compliance / Script Integrity Validation (pull_request) Successful in 4s
MCP: Standards Compliance / Line Length Check (pull_request) Failing after 3s
MCP: Standards Compliance / File Naming Standards (pull_request) Successful in 3s
MCP: Standards Compliance / Insecure Code Pattern Detection (pull_request) Successful in 3s
MCP: Standards Compliance / Version Consistency Check (pull_request) Successful in 37s
MCP: Build & Validate / build (22) (pull_request) Failing after 1m2s
MCP: Standards Compliance / Code Complexity Analysis (pull_request) Successful in 34s
MCP: Standards Compliance / File Size Limits (pull_request) Successful in 3s
MCP: Standards Compliance / Binary File Detection (pull_request) Successful in 3s
MCP: Standards Compliance / TODO/FIXME Tracking (pull_request) Successful in 2s
MCP: Standards Compliance / Code Duplication Detection (pull_request) Successful in 35s
MCP: Standards Compliance / Dependency Vulnerability Scanning (pull_request) Successful in 34s
MCP: Standards Compliance / Unused Dependencies Check (pull_request) Successful in 33s
MCP: Standards Compliance / Broken Link Detection (pull_request) Successful in 3s
MCP: Standards Compliance / API Documentation Coverage (pull_request) Successful in 3s
MCP: Standards Compliance / Dead Code Detection (pull_request) Failing after 53s
MCP: Standards Compliance / Accessibility Check (pull_request) Successful in 3s
MCP: Standards Compliance / Performance Metrics (pull_request) Failing after 31s
MCP: Standards Compliance / Enterprise Readiness Check (pull_request) Successful in 37s
Universal: Auto-Assign / Assign unassigned issues and PRs (pull_request_target) Successful in 1s
MCP: Standards Compliance / Repository Health Check (pull_request) Successful in 39s
MCP: Standards Compliance / Terraform Configuration Validation (pull_request) Failing after 43s
Universal: CodeQL Analysis / Security Scan Summary (pull_request) Successful in 1s
MCP: Standards Compliance / Compliance Summary (pull_request) Failing after 1s
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Security Policy
Purpose and Scope
This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.
Supported Versions
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Only the current major version receives security updates.
Reporting a Vulnerability
Report security vulnerabilities via Gitea issue (preferred): https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml
Or email: hello@mokoconsulting.tech
Where to Report
DO NOT create public issues for security vulnerabilities.
Report security vulnerabilities privately to:
Email: hello@mokoconsulting.tech
Subject Line: [SECURITY] Brief Description
What to Include
- Description: Clear explanation of the vulnerability
- Impact: Potential security impact and severity assessment
- Affected Versions: Which versions are vulnerable
- Reproduction Steps: Detailed steps to reproduce the issue
- Proof of Concept: Code or demonstration (if applicable)
- Suggested Fix: Proposed remediation (if known)
Response Timeline
- Initial Response: Within 3 business days
- Assessment Complete: Within 7 business days
- Fix Timeline: Depends on severity (see below)
Severity Classification
Critical
- API key exposure or leakage
- Remote code execution via API parameters
- Authentication bypass
- Fix Timeline: 7 days
High
- SQL injection via sqlfilters parameter
- Unauthorized access to Dolibarr data
- Fix Timeline: 14 days
Medium
- Information disclosure (limited scope)
- Configuration file exposure
- Fix Timeline: 30 days
Low
- Security best practice violations
- Minor information leaks
- Fix Timeline: 60 days or next release
Security Considerations
API Key Storage
- API keys are stored in
~/.dolibarr-api-mcp.jsonwith user-only file permissions - Never commit API keys to version control
- The
.gitignoreexcludes.mcp.jsonand environment files
SQL Filter Safety
- The
buildSqlFilter()helper escapes single quotes to prevent SQL injection via thesqlfiltersparameter - All user-provided search terms are wrapped with the helper before being sent to Dolibarr
TLS Verification
- The
insecureconnection option disables TLS certificate verification - This should only be used for local development with self-signed certificates
- Production connections should always use valid TLS certificates
Attribution and Recognition
We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.
Revision History
| Date | Version | Author | Notes |
|---|---|---|---|
| 2026-05-07 | 0.0.1 | jmiller | Initial security policy |