Security is a core tenet of ForgeTS. We adhere to NIST 800-53 Rev5 standards where applicable.
- Least Privilege: All generated services and roles default to minimum necessary permissions.
- Secrets Management: No secrets in code. Use
.envfile patterns or proper secret stores (AWS Secrets Manager, HashiCorp Vault) for production. - Dependency Safety: We pin dependencies where possible and regularly scan for vulnerabilities.
The project validates against NIST controls. See compliance/ directory (if available) or the Compliance Documentation (link to be updated) for audit logs.
If you discover a security vulnerability in ForgeTS, please DO NOT open a public issue. Refer to SECURITY.md in the root of the repository for reporting instructions.