middyjs · willfarrell · May 3, 2025 · May 2, 2025 · May 3, 2025 · May 3, 2025
@@ -23,8 +23,8 @@ assignees: ''
 **Any other comments?**
 
 **Todo List:**
-- [ ] Feature/Fix fully implemented
 - [ ] All commits are cryptographically signed
+- [ ] Feature/Fix fully implemented
 - [ ] Updated relevant types
 - [ ] Added tests (if applicable)
   - [ ] Unit tests

@@ -17,9 +17,25 @@ Our goal is to ensure Middy meets security best practices as outlined by the fol
 
 Core maintainers use Middy extensively within their own organizations that meet the above standards tested using SecurityHub and penetration testing.
 
+## Secure design principles
+
+- secure by default
+- use white lists
+- no backdoors
+- follow least privilege
+- keep it simple
+
 ## Supported Versions
 Only the latest version is supported for security updates.
 
+## Threat model
+
+All options and configuration are assume to be trusted as we are configured by the implementing developer. It's up the implement IAM properly.
+
+## Trust Boundaries
+
+Middy is implemented within AWS Lambda. The Lambda execution and configuration of middy is trusted. It's up to the implementing developer to apply input validation to ensure the event is properly structured and safe to use for the handler. User inputs to all packages are fuzzed.
+
 ## Reporting a Vulnerability
 
 The Middy OSS team and community take all security vulnerabilities

@@ -4,11 +4,83 @@ In the spirit of Open Source Software, everyone is very welcome to contribute to
 
 Before contributing to the project, make sure to have a look at our [Code of Conduct](/.github/CODE_OF_CONDUCT.md).
 
-To ensure we're following FLOSS Best Practices:
-- We require all commits to have be `Signed-off-by`, by including `name` & `email`
-- We require all commits to have signature verification [GitHub Docs: About commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+Want to help, but finding new features and bugs a little daunting to tackle. Improving documentation (grammar, spelling, examples, internationalization), improving unit test coverage, and refactoring to use newer native APIs are great places to add value.
 
-If you are a maintainer and want to release a new version of Middy, consult the dedicated [RELEASE manual](/docs/RELEASE.md).
+
+## 1. Fork
+
+Ensure git history is pulled from the `develop` branch.
+
+## 2. Setup
+
+```bash
+npm i -g @sandworm/audit
+brew install semgrep
+brew install trufflehog
+brew install --cask zap
+```
+
+## 3. Implementation
+
+When necessary ensure changes follow secure design principles. See [SECURITY.md](/SECURITY.md)
+
+## 4. Testing
+
+```bash
+npm test
+```
+
+Ensure tests are updated and pass. All tests are automatically enforced using GitHub Actions on Pull-Requests.
+
+### Formating / Linting
+
+We use `biome` with recommended configurations plus a few correctness additions.
+
+### Unit tests
+
+We use `node --test` with a minimum test coverage of:
+
+- lines: >=90%
+- branches: >=80%
+- functions: >=90%
+
+Of course higher is always better. Bug fixes should always start with a failing unit test.
+New features should have acceptance and rejection tests.
+
+### SAST
+
+We use `CodeQL` & `semgrep` to ensure code is written in a secure way.
+
+#### SCA
+
+We use `DependaBot` & `sandworm` to ensure dependancies as free of known vulnerabilities.
+
+### DAST
+
+We use `fast-check` to run fuzzing on user inputs. It is expected that user inputs are pre-validated and/or sanitized
+before reaching this packages inputs.
+
+### Performance benchmarks
+
+We use `tinybench` to ensure there are no performance regressions.
+
+## 5. Committing
+
+Ensure git commits meet the following FLOSS Best Practices:
+
+- Message follows [Conventional Commits](https://www.conventionalcommits.org/) pattern. This is automatically enforce using `@commitlint/cli`.
+- Message includes sign off for [Developer Certificate of Origin (DCO)](https://developercertificate.org/) compliance. This is automatically enforced using GitHub Actions on Pull-Requests.
+  a. `git config --global user.name "Your Name"` and `git config --global user.email username@example.org` setup with `--signoff` flag on `git commit`
+  a. Or, `Signed-off-by: username <email address>` as the last line of a commit, when a change is made through GitHub
+- Commit is cryptographically signed and can be verified. This is automatically enforced GitHub security configuration. [GitHub Docs: About commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+
+## 6. Pull Request (PR)
+
+Submit a PR to the `develop` branch. Keep PR in draft mode until all automated tests are successful. Once ready, at least 2 maintainers will review the PR and request changes if necessary. Reviewers will be evaluating for secure design principles.
+
+## 7. Release
+
+If you are a maintainer and want to release a new version, consult the [RELEASE manual](/docs/RELEASE.md).
 
 ## License
 

@@ -0,0 +1,25 @@
+# Governance
+
+## Roles
+
+### [Owner](https://github.com/orgs/middyjs/teams/owners)
+
+Also known as a core maintainer. Have a long history with the project, have a deep understanding of the codebase, and decide the direction of the project.
+
+### [Security](https://github.com/orgs/middyjs/teams/security)
+
+Are responsible to respond and remediate security disclosures.
+
+### [Reviewer](https://github.com/orgs/middyjs/teams/reviewers)
+
+Group of people responsible for reviewing pull requests.
+
+## Decisions
+
+All discussion and decisions are documented in a GitHub Issue to allow transparency and community feedback. Video calls to go over larger decisions and those that relate to governance may happen periodically.
+
+## Maintainers
+
+- Project must maintain a minimum of 3 maintainers with at least two unassociated significant contributors
+- All maintainers are required to have WebAuthn MFA enable on their account.
+- Required to know secure design principals.
@@ -9,6 +9,7 @@ import HomepageFeatures from "../components/HomepageFeatures";
 // import HomepageWhatUsersSay from '../components/HomepageWhatUsersSay'
 // import HomepageWhoUses from '../components/HomepageWhoUses'
 import HomepageSponsors from "../components/HomepageSponsors";
+
 import styles from "./index.module.css";
 
 function HomepageHeader() {
@@ -18,7 +19,7 @@ function HomepageHeader() {
 				<img
 					className={styles.logo}
 					alt="Middy.js"
-					src="/img/logo/middy-logo.svg"
+					src="/img/middy-logo.svg"
 					width="350"
 				/>
 				<p className="hero__subtitle">