imhotep/Imhotep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
92deb689cd212677ef3282b303963e2695795969
Imhotep/SECURITY.md
T

1.7 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
1.0.x yes
< 1.0 no

Trust Model

Imhotep is a test framework. It runs with the privileges of the invoking test process.

Primary trust boundaries:

  1. Node test process (full local process privileges)
  2. Playwright browser context (page JavaScript execution)
  3. CDP extraction channel (local browser debugging protocol)

Execution Safety Posture

  • No dynamic eval/new Function based execution for assertions.
  • Assertions are compiled to structured representations (AST/IR/FOL), then evaluated.
  • Runtime extraction diagnostics fail closed instead of silently passing unsupported cases.

CDP Constraints

  • CDP usage is intended for local Playwright sessions.
  • Extraction is read-oriented (DOM/CSS/layout facts) with temporary correlation attributes removed after use.
  • No built-in remote debugger dialing behavior is provided by framework defaults.

User-Supplied Code Risks

The following run as trusted code and must be treated accordingly:

  • custom renderer adapters
  • custom predicates/evaluators
  • fixture pages loaded in browser contexts

Do not run untrusted fixtures, renderers, or test helpers in privileged environments.

Data Sensitivity

Imhotep outputs may include selectors, text labels, geometry, and diagnostics.

  • Treat logs/artifacts as potentially sensitive in CI.
  • Redact or avoid committing environment-specific secrets captured by test harness code.

Vulnerability Reporting

Open a GitHub issue labeled security for non-sensitive reports.

If disclosure should be private first, include "PRIVATE SECURITY REPORT" in the issue title and avoid posting exploit details until maintainers respond.

Reference in New Issue View Git Blame Copy Permalink