Skip to content

P1: Supply chain — Dependabot, npm audit gate, image scan, SBOM #175

Description

@dkijania

Problem

No supply-chain controls: there is no dependabot.yml, no npm audit gate in CI, no container image scanning (Trivy/Grype), and no SBOM.

Proposal

  • Add Dependabot for npm + GitHub Actions.
  • Add an npm audit (or equivalent SCA) gate to CI.
  • Scan the built image (Trivy/Grype) in CI.
  • Generate and publish an SBOM with releases.

Acceptance

  • Dependency and image vulnerabilities are surfaced in CI; SBOM ships with releases.

Part of #163.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1Strongly recommended before GAenhancementNew feature or requestproduction-readinessWork toward making the API production-ready / publicly available

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions