From aa38c3797e134f9a52db91248217d2caf8aaef4a Mon Sep 17 00:00:00 2001
From: Stefano Bertelli <stefano.bertelli@b2z-insurance.com>
Date: Fri, 3 Apr 2026 00:35:42 -0500
Subject: [PATCH] ci: add security policy, CodeQL scanning, enable Dependabot

---
 .github/workflows/codeql.yml | 31 ++++++++++++++++++++++++++++
 SECURITY.md                  | 39 ++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..6b888d2
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "0 6 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze (Python)
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..1c35206
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in WireGUI, please report it responsibly through **GitHub's private vulnerability reporting**:
+
+1. Go to the [Security Advisories](https://github.com/bartei/wiregui/security/advisories) page
+2. Click **"Report a vulnerability"**
+3. Fill in the details of the vulnerability
+
+Please **do not** open a public issue for security vulnerabilities.
+
+## What to Expect
+
+- You will receive an acknowledgment within **48 hours**
+- We will provide a timeline for a fix within **7 days**
+- Security patches will be released as soon as possible
+
+## Scope
+
+The following are in scope for security reports:
+
+- Authentication and authorization bypasses
+- SQL injection, XSS, CSRF, or other injection vulnerabilities
+- WireGuard configuration issues that could expose private keys
+- API token or session handling flaws
+- Privilege escalation between user roles
+
+## Out of Scope
+
+- Denial of service (DoS) attacks
+- Issues in third-party dependencies (report these upstream)
+- Social engineering attacks
\ No newline at end of file