Skip to content

Security: d-oit/command-verify

Security

.github/SECURITY.md

Security Configuration

This document outlines the security measures and configurations implemented in our GitHub Actions workflows.

πŸ”’ Security Features Implemented

Phase 1 Critical Security Fixes

1. Updated GitHub Actions

  • actions/checkout: Updated to v4 (latest secure version)
  • actions/setup-node: Updated to v4 (latest secure version)
  • CodeQL Actions: Downgraded to v3 for stability
  • Release Actions: Replaced deprecated actions/create-release with softprops/action-gh-release@v2

2. Granular Permissions

All workflows now use principle of least privilege:

  • CI Workflow (ci.yml):

    • test job: contents: read
    • verify-commands job: contents: read
    • security job: actions: read, contents: read, security-events: write

  • Release Workflow (release.yml):

    • release job: contents: write, issues: write, pull-requests: write, discussions: write
    • update-docs job: contents: write

  • Security Workflow (security.yml):

    • All jobs: Explicit permissions instead of defaults

3. Enhanced Security Scanning

CodeQL Integration
  • Configured with .github/codeql-config.yml
  • Security and quality queries enabled
  • JavaScript language scanning
  • SARIF results output for GitHub Security tab
Vulnerability Scanning
  • Trivy: Container and filesystem vulnerability scanning
  • OpenSSF Scorecard: Supply chain security assessment
  • npm audit: Dependency vulnerability checks
Secret Scanning
  • Gitleaks: Git history secret detection
  • TruffleHog: Advanced secret scanning across commits

4. Environment Protection

  • FORCE_COLOR: 3 environment variable for consistent output
  • Explicit environment contexts in release workflows

5. Input Validation

  • Version format validation in release workflow
  • Regex pattern matching for semantic versioning
  • Sanitization of user inputs

6. Secret Management

  • Secure token handling with GITHUB_TOKEN
  • Required secrets clearly identified
  • Audit logging for automated dependency updates

πŸ›‘οΈ Security Scanning Matrix

Tool Purpose Frequency Output
CodeQL Static code analysis Every push/PR SARIF to Security tab
Trivy Vulnerability scanning Every push/PR SARIF to Security tab
Scorecard Supply chain security PRs SARIF to Security tab
npm audit Dependency vulnerabilities Scheduled + PRs Console output
Gitleaks Secret detection Scheduled + PRs Console output
TruffleHog Advanced secrets Scheduled + PRs Console output
License checker License compliance Scheduled Console output

πŸ” Workflow Permissions Summary

CI Workflow

permissions:
  contents: read          # Read repository contents
  actions: read           # Read actions status (security job)
  security-events: write  # Write security scan results

Release Workflow

permissions:
  contents: write         # Write releases and tags
  issues: write           # Create discussions
  pull-requests: write    # Update PRs
  discussions: write      # Create release discussions

Security Workflow

permissions:
  contents: read          # Read code for scanning
  actions: read           # Read workflow status
  security-events: write  # Write scan results
  pull-requests: read     # Read PR details

🚨 Security Monitoring

Automated Alerts

  • Security scan failures trigger workflow failures
  • High-severity vulnerabilities block releases
  • Secret detection failures require manual review

Manual Review Requirements

  • Dependency updates require security review
  • New high-risk permissions need approval
  • Breaking changes in dependencies need validation

πŸ“‹ Security Checklist

Pre-Merge Checks

  • All security scans pass
  • No critical vulnerabilities introduced
  • Dependencies reviewed for license compliance
  • Secrets not committed to repository

Release Checks

  • Security audit passes
  • CodeQL analysis clean
  • Dependency vulnerabilities addressed
  • No secrets in release assets

πŸ”„ Maintenance

Regular Updates

  • Review GitHub Actions versions quarterly
  • Update security scanning tools monthly
  • Audit permissions annually

Incident Response

  • Security scan failures: Address immediately
  • Secret leaks: Rotate affected secrets + revoke access
  • Vulnerability alerts: Patch within SLA

πŸ“ž Contact

For security concerns, please use GitHub Security Advisories or contact the maintainers directly.

There aren’t any published security advisories