@kreuzberg-dev/security-and-vulnerability-management

---
name: security-and-vulnerability-management
description: "Instructions for security and vulnerability management."
---

______________________________________________________________________

## priority: critical

# Security & Vulnerability Management

## Dependency Auditing

- `cargo audit` on every CI run (fail on known vulns)
- `cargo deny check advisories bans sources` for comprehensive checks
- Pin critical deps to known-safe versions

## Fuzzing

- `cargo-fuzz` with targets in `fuzz/fuzz_targets/` for each public API surface
- Run in CI with timeout limits
- Save failing inputs as regression tests

## Unsafe Code

- EVERY `unsafe` block needs `// SAFETY:` comment (invariant, why it holds, what breaks)
- Isolate unsafe in dedicated modules; public API must be safe
- Review checklist: valid pointers, aligned, no UAF, no double-free, no data races, type safety across FFI

## Security Testing

- No panics on untrusted input (return `Result`, never `unwrap()`)
- Test adversarial inputs: empty, max-size, null pointers, concurrency stress
- Property-based testing with `proptest`

## deny.toml

```toml
[advisories]
vulnerability = "deny"
unmaintained = "warn"

[bans]
multiple-versions = "warn"
wildcards = "warn"

[sources]
unknown-registry = "warn"
unknown-git = "warn"
```

## Release Security Checklist

- [ ] `cargo audit` + `cargo deny check` pass
- [ ] All unsafe blocks have SAFETY comments
- [ ] Fuzzing targets pass
- [ ] No panics on arbitrary input
- [ ] SECURITY.md updated

## Anti-Patterns

- No SAFETY comments on unsafe
- Unsafe in public API
- Ignoring cargo-audit warnings
- `unwrap()` on untrusted input
- No fuzzing of parsers
- Outdated dependencies