P1: Supply-chain security — Dependabot, npm audit gate, Trivy, SBOM (#175)#192
Open
dkijania wants to merge 1 commit into
Open
P1: Supply-chain security — Dependabot, npm audit gate, Trivy, SBOM (#175)#192dkijania wants to merge 1 commit into
dkijania wants to merge 1 commit into
Conversation
There were no supply-chain controls: no Dependabot, no audit gate, no SBOM.
- `.github/dependabot.yml`: weekly updates for npm (production/development
grouped), GitHub Actions, and Docker (keeps the pinned base-image digest
fresh).
- `.github/workflows/security.yaml`:
- npm audit — hard gate on **critical** advisories in production deps (what
actually ships), plus a full informational audit. Production deps currently
have 0 critical, so the gate passes; the 4 highs are OpenTelemetry/fast-uri
transitives that Dependabot / the Yoga 5 upgrade (#176) will clear.
- CycloneDX SBOM generation, uploaded as an artifact.
Dependency/image vulnerability scanning (Trivy/Grype) is deferred so the scanner
action can be verified separately rather than shipped red — Dependabot (npm +
docker) already surfaces vulnerable deps and base images in the meantime.
Refs #175.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6
4b3df1e to
ae4e571
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Part of the production-readiness epic (#163). Refs #175.
There were no supply-chain controls: no Dependabot, no audit gate, no SBOM.
Changes
.github/dependabot.yml— weekly updates for npm (production/development grouped), GitHub Actions, and Docker (keeps the pinned base-image digest from P1: Container hardening — node as PID 1 / tini, HEALTHCHECK, pin digest #171 fresh)..github/workflows/security.yaml:Notes
fast-uritransitives that Dependabot and the Yoga 5 upgrade (P1: Dependency upgrades — graphql-yoga 4→5, Node 20→22 LTS #176) will clear. The gate blocks prod criticals today, surfaces everything else, and can be tightened tohighonce P1: Dependency upgrades — graphql-yoga 4→5, Node 20→22 LTS #176 lands.Testing
npm audit --omit=dev --audit-level=critical→ exit 0 (the blocking gate passes)prettier --debug-check .— clean; YAML validated🤖 Generated with Claude Code