docs: add security > threat model page (#2830)

2026-06-11 09:51:50 +00:00 · 2026-05-09 10:59:36 -03:00
parent 5f78da2d0a
commit dc64864643
3 changed files with 180 additions and 1 deletions
--- a/website/.vitepress/config.ts
+++ b/website/.vitepress/config.ts
@@ -470,6 +470,10 @@ export default defineConfig({
            {
              text: 'Incident Response Plan',
              link: '/docs/security/incident-response-plan'
            },
            {
              text: 'Threat Model',
              link: '/docs/security/threat-model'
            }
          ]
        },
--- a/website/src/docs/security/index.md
+++ b/website/src/docs/security/index.md
@@ -15,7 +15,8 @@ A member of the team will investigate as soon as possible and we will keep you
 updated throughout the process.
 You can read more about how we handle security-related issues in our [Incident
-Response Plan][irp].
+Response Plan][irp] and [Threat Model][tm].
 [pvr]: https://github.com/go-task/task/security/advisories/new
 [irp]: ./incident-response-plan
 [tm]: ./threat-model
--- a/website/src/docs/security/threat-model.md
+++ b/website/src/docs/security/threat-model.md
@@ -0,0 +1,174 @@
 ---
 title: Threat Model
 outline: deep
 ---
 # Threat Model
 This document outlines the security threats, assets, and mitigations for the
 Task project. It serves as a high-level, public guide and is published as part
 of our commitment to transparency.
 ## Asset Inventory
 ### Critical Assets
 - **Source Code:** The Task CLI, build scripts, and configuration files
  (e.g., `Taskfile.yml`, `.goreleaser.yml`).
 - **Build Artifacts:** Compiled binaries, packages, and containers distributed
  to users.
 - **Secrets:** API tokens, signing keys, and repository credentials used in
  CI/CD and release pipelines.
 - **Release Metadata:** Version numbers, changelogs, and checksums.
 - **CI/CD Pipelines & Runners:** GitHub Actions workflows that build, test, and
  release the project.
 - **Third-party Dependencies:** Go modules and tools used to build and
  distribute Task.
 - **Website & Documentation:** The taskfile.dev site and installation scripts.
 ### Asset Locations
 - Local developer machines
 - GitHub Actions runners
 - GitHub Releases
 - Public package registries (npm, Homebrew, Winget, Cloudsmith)
 - Source control platforms (GitHub)
 - Netlify (website hosting)
 ## Threat Model
 ### Actors
 - **Maintainers & Contributors:** Trusted users with varying levels of
  repository access.
 - **External Attackers:** Untrusted users seeking to compromise builds,
  releases, or user systems.
 - **Supply Chain Threats:** Malicious dependencies or compromised third-party
  services.
 - **CI/CD Systems:** Automated agents that may be exploited if misconfigured.
 ### Entry Points
 - Source code contributions (pull requests, issues)
 - Configuration files and build scripts
 - CI/CD integration and environment variables
 - Third-party dependencies
 - Release pipelines and artifact repositories
 - Remote Taskfile fetching (HTTP, Git)
 - Installation scripts
 ### Trust Boundaries
 - Between the project repository and the CI/CD environment
 - Between Task and remote Taskfiles fetched over the network
 - Between artifact generation and distribution channels
 - Between the Task binary and user-defined shell commands
 ### Threats
 #### Supply Chain Attacks
 - Compromised Go dependencies or build tools
 - Unauthorized changes to source code or configuration
 - Exploitation of third-party CI/CD or package registry services
 - Compromised installation scripts or distribution channels
 #### Secrets Leakage
 - Exposure of tokens, credentials, or signing keys in logs, error messages,
  or artifacts
 - Hardcoded secrets in code or configuration
 - Improper secret management in CI/CD environments
 #### Code Execution / Injection
 - Malicious code execution via compromised pull requests or dependencies
 - Remote code execution vulnerabilities in Task or its dependencies
 - **Note:** Task intentionally executes user-defined shell commands as part of
  its core functionality. Users are responsible for the commands they define in
  their Taskfiles.
 #### Unauthorized Access
 - Unauthorized users triggering releases or accessing sensitive artifacts
 - Insecure permissions on runners, repositories, or artifact stores
 - Compromised maintainer accounts
 #### Data Integrity & Tampering
 - Tampering with build artifacts, changelogs, or metadata
 - Compromise of signing keys, leading to malicious releases
 - Man-in-the-middle attacks against remote Taskfile fetching
 #### Denial of Service
 - Abuse of CI/CD resources, bandwidth, or artifact storage
 - Overloading automated processes or API endpoints
 - Malicious Taskfiles designed to exhaust system resources
 ## Mitigations
 ### Supply Chain Security
 - Pin dependencies and use trusted sources
 - Mandatory code review and CI checks on all incoming pull requests
 - Signed commits and release tags
 - Enable immutable releases where supported
 - Run `govulncheck` on every commit and tag
 - Pin GitHub Actions to specific commit SHAs
 ### Secrets Management
 - Secure storage using GitHub Secrets
 - Never log or expose secrets in build or release outputs
 - Regularly rotate secrets and monitor for suspicious activity
 - Use least-privilege tokens scoped to specific repositories
 ### Secure Code Execution
 - Validate and sanitize configuration files and user inputs
 - Audit dependencies for vulnerabilities
 - HTTP is rejected for remote Taskfiles by default (requires `--insecure` flag)
 - TLS certificate verification for remote Git repositories
 ### Access Control
 - Enforce least privilege for CI/CD runners, repositories, and artifact stores
 - Require multi-factor authentication for maintainers
 - Restrict release triggers to tagged releases only
 - Lower permissions of less active maintainers
 ### Artifact Integrity
 - Generate checksums for all release artifacts
 - Distribute artifacts via trusted, access-controlled repositories
 - Verify signatures and checksums in installation scripts where possible
 ### Availability Protection
 - Implement rate limiting and resource quotas on CI/CD jobs
 - Monitor for abnormal activity and automate alerts
 - Set timeouts on network operations (e.g., remote Taskfile fetching)
 ## Residual Risks
 - Zero-day vulnerabilities in dependencies, CI/CD systems, or Task itself
 - Social engineering attacks targeting maintainers
 - Unnoticed supply chain compromises
 - Human error in configuration or secret management
 - Users fetching malicious remote Taskfiles from untrusted sources
 ## Security Best Practices
 - Regularly update dependencies and build tools
 - Monitor security advisories and patch vulnerabilities promptly
 - Educate contributors on secure coding and secrets hygiene
 - Document security policies and incident response procedures
 ## References
 - [Task Documentation](https://taskfile.dev/)
 - [Incident Response Plan](./incident-response-plan)
 - [OWASP Top 10](https://owasp.org/www-project-top-ten/)
 - [Supply Chain Security](https://slsa.dev/)
 - [GitHub Security Best Practices](https://docs.github.com/en/code-security)