Skip to content

P1: Supply-chain security — Dependabot, npm audit gate, Trivy, SBOM (#175)#192

Open
dkijania wants to merge 1 commit into
mainfrom
ci/supply-chain
Open

P1: Supply-chain security — Dependabot, npm audit gate, Trivy, SBOM (#175)#192
dkijania wants to merge 1 commit into
mainfrom
ci/supply-chain

Conversation

@dkijania

@dkijania dkijania commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

What & why

Part of the production-readiness epic (#163). Refs #175.

There were no supply-chain controls: no Dependabot, no audit gate, no SBOM.

Changes

  • .github/dependabot.yml — weekly updates for npm (production/development grouped), GitHub Actions, and Docker (keeps the pinned base-image digest from P1: Container hardening — node as PID 1 / tini, HEALTHCHECK, pin digest #171 fresh).
  • .github/workflows/security.yaml:
    • npm audit — hard gate on critical advisories in production deps (what actually ships in the image/npm package), plus a full informational audit for visibility.
    • CycloneDX SBOM generation, uploaded as a build artifact.

Notes

Testing

  • npm audit --omit=dev --audit-level=critical → exit 0 (the blocking gate passes)
  • prettier --debug-check . — clean; YAML validated
  • No application code changed.

🤖 Generated with Claude Code

@dkijania dkijania added production-readiness Work toward making the API production-ready / publicly available P1 Strongly recommended before GA labels Jun 28, 2026
There were no supply-chain controls: no Dependabot, no audit gate, no SBOM.

- `.github/dependabot.yml`: weekly updates for npm (production/development
  grouped), GitHub Actions, and Docker (keeps the pinned base-image digest
  fresh).
- `.github/workflows/security.yaml`:
  - npm audit — hard gate on **critical** advisories in production deps (what
    actually ships), plus a full informational audit. Production deps currently
    have 0 critical, so the gate passes; the 4 highs are OpenTelemetry/fast-uri
    transitives that Dependabot / the Yoga 5 upgrade (#176) will clear.
  - CycloneDX SBOM generation, uploaded as an artifact.

Dependency/image vulnerability scanning (Trivy/Grype) is deferred so the scanner
action can be verified separately rather than shipped red — Dependabot (npm +
docker) already surfaces vulnerable deps and base images in the meantime.

Refs #175.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P1 Strongly recommended before GA production-readiness Work toward making the API production-ready / publicly available

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant