Skip to content

feat(ci): central bundled Security Scan gate (osv hard-gate + trivy + scorecard)#310

Open
seonghobae wants to merge 1 commit into
mainfrom
feat/central-security-gate
Open

feat(ci): central bundled Security Scan gate (osv hard-gate + trivy + scorecard)#310
seonghobae wants to merge 1 commit into
mainfrom
feat/central-security-gate

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

목적

흩어진 보안 스캐너를 **하나의 중앙 필수 워크플로 Security Scan**으로 묶고, osv를 hard gate로 만듭니다. (사용자 요청: "Hard gate로 하면서 Security scanner들과 묶어버립시다")

번들 구성 (잡 단위로 게이트 = ref 독립)

성격 범위
osv-scan HARD (fail-on-vuln: true) diff — PR이 도입한 신규 취약점만 차단
dependency-review HARD diff — PR이 추가한 취약/거부 라이선스 의존성 차단
trivy-fs HARD (exit-code: 1, ignore-unfixed) repo-wide — fixable CRITICAL/HIGH
scorecard SOFT (continue-on-error) repo posture — 가시성용, 절대 차단 안 함

왜 code_scanning 룰이 아니라 워크플로 체크로 게이트하나

default-setup CodeQL은 refs/pull/N/head, pull_request 워크플로는 refs/pull/N/merge에 SARIF를 올려 어떤 ref에도 모든 도구가 다 있지 않음 → code_scanning 룰에 여러 도구를 넣으면 전 PR 영구 BLOCK. 그래서 code_scanning은 CodeQL 단일 유지, 나머지는 워크플로 잡 결과로 게이트(ref 독립).

후속 (이 PR 머지 후)

  1. 조직 룰셋 workflows 필수 목록: osv-scanner-pr.yml+scorecard-pr.yml 제거 → security-scan.yml 추가
  2. 낡은 osv-scanner-pr.yml·scorecard-pr.yml 삭제(정리 PR)
  3. per-repo security-process.yml의 중복 Trivy 정리(선택)

⚠️ 주의

trivy-fs는 repo 전체 스캔이라 기존 fixable CRITICAL/HIGH가 있으면 해당 리포의 모든 PR이 그것을 고칠 때까지 막힙니다. 너무 엄격하면 exit-code: "0"으로 내려 가시성 전용화 가능.

🤖 Generated with Claude Code

… scorecard)

Bundles the supply-chain/vulnerability/posture scanners into one required org
workflow that gates as a unit, replacing the separate osv-scanner-pr and
scorecard-pr workflows:

- osv-scan: HARD, diff-scoped (fail-on-vuln: true) — blocks on NEW vulns
- dependency-review: HARD, diff-scoped — blocks vulnerable/denied added deps
- trivy-fs: HARD, repo-wide fixable CRITICAL/HIGH
- scorecard: SOFT (continue-on-error) — posture visibility, never blocks

Gating is by job result (ref-independent), not the code_scanning rule, which
stays CodeQL-only to avoid the cross-tool SARIF-ref mismatch that blocked every
merge org-wide.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
permissions:
actions: read
contents: read
security-events: write
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants