From 80c368f4a5618776e4a057795f1f1d00b1f65038 Mon Sep 17 00:00:00 2001
From: reeshika-h <reeshika.hosmani@contentstack.com>
Date: Fri, 9 Jan 2026 13:28:25 +0530
Subject: [PATCH 1/4] added security file

---
 SECURITY.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..b5fe070
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+## Security
+
+Contentstack takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations.
+
+If you believe you have found a security vulnerability in any Contentstack-owned repository, please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Send email to [security@contentstack.com](mailto:security@contentstack.com).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+[https://www.contentstack.com/trust/](https://www.contentstack.com/trust/)

From 582ad029761e0c6d0e8fc0e906046e167e306c76 Mon Sep 17 00:00:00 2001
From: reeshika-h <reeshika.hosmani@contentstack.com>
Date: Fri, 9 Jan 2026 13:34:16 +0530
Subject: [PATCH 2/4] Update SCA workflow to use OSV Scanner and Dart setup;

---
 .github/workflows/sca-scan.yml | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml
index f09161f..5fabf87 100644
--- a/.github/workflows/sca-scan.yml
+++ b/.github/workflows/sca-scan.yml
@@ -6,10 +6,27 @@ jobs:
   security-sca:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/node@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - uses: actions/checkout@v4
+      
+      - name: Set up Dart
+        uses: dart-lang/setup-dart@v1
         with:
-          args: --all-projects --fail-on=all
+          sdk: stable
+      
+      - name: Install dependencies
+        run: dart pub get
+      
+      - name: Check for outdated dependencies
+        run: dart pub outdated --json > outdated.json || true
+      
+      - name: Run OSV Scanner for vulnerabilities
+        uses: google/osv-scanner-action@v1
+        with:
+          scan-args: |-
+            --lockfile=pubspec.lock
+      
+      - name: Display outdated packages
+        if: always()
+        run: |
+          echo "Checking for outdated packages..."
+          dart pub outdated || true

From 167ff1d236ff22df4e06946a469ee9eaa40dc3cb Mon Sep 17 00:00:00 2001
From: reeshika-h <reeshika.hosmani@contentstack.com>
Date: Fri, 9 Jan 2026 13:36:21 +0530
Subject: [PATCH 3/4] Refactor SCA workflow to streamline OSV Scanner
 integration and improve output handling

---
 .github/workflows/sca-scan.yml | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml
index 5fabf87..b425f01 100644
--- a/.github/workflows/sca-scan.yml
+++ b/.github/workflows/sca-scan.yml
@@ -17,16 +17,20 @@ jobs:
         run: dart pub get
       
       - name: Check for outdated dependencies
-        run: dart pub outdated --json > outdated.json || true
+        run: dart pub outdated || true
       
       - name: Run OSV Scanner for vulnerabilities
-        uses: google/osv-scanner-action@v1
-        with:
-          scan-args: |-
-            --lockfile=pubspec.lock
+        run: |
+          curl -L https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o osv-scanner
+          chmod +x osv-scanner
+          ./osv-scanner --lockfile=pubspec.lock --format=json --output=osv-results.json || true
       
-      - name: Display outdated packages
+      - name: Display OSV Scanner results
         if: always()
         run: |
-          echo "Checking for outdated packages..."
-          dart pub outdated || true
+          if [ -f osv-results.json ]; then
+            echo "OSV Scanner Results:"
+            cat osv-results.json
+          else
+            echo "No vulnerabilities found!"
+          fi

From cd5c03a221c0637b11e9682eb36210c302c6aed8 Mon Sep 17 00:00:00 2001
From: harshithad0703 <104908717+harshithad0703@users.noreply.github.com>
Date: Mon, 12 Jan 2026 12:22:47 +0530
Subject: [PATCH 4/4] Change PR merge restrictions from 'next' to 'staging'

---
 .github/workflows/check-branch.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/check-branch.yml b/.github/workflows/check-branch.yml
index 1e2d24a..2332f0d 100644
--- a/.github/workflows/check-branch.yml
+++ b/.github/workflows/check-branch.yml
@@ -8,13 +8,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Comment PR
-        if: github.base_ref == 'master' && github.head_ref != 'next'
+        if: github.base_ref == 'master' && github.head_ref != 'staging'
         uses: thollander/actions-comment-pull-request@v2
         with:
           message: |
-            We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch.
+            We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the staging branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch.
       - name: Check branch
-        if: github.base_ref == 'master' && github.head_ref != 'next'
+        if: github.base_ref == 'master' && github.head_ref != 'staging'
         run: |
-          echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the next branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch."
-          exit 1
\ No newline at end of file
+          echo "ERROR: We regret to inform you that you are currently not able to merge your changes into the master branch due to restrictions applied by our SRE team. To proceed with merging your changes, we kindly request that you create a pull request from the staging branch. Our team will then review the changes and work with you to ensure a successful merge into the master branch."
+          exit 1