From ae4e5716d6f7c5ee8d9a4ba144ac4f0f1edc7b08 Mon Sep 17 00:00:00 2001 From: dkijania Date: Sun, 28 Jun 2026 17:05:47 +0200 Subject: [PATCH] =?UTF-8?q?ci:=20add=20supply-chain=20security=20=E2=80=94?= =?UTF-8?q?=20Dependabot,=20npm=20audit=20gate,=20SBOM?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were no supply-chain controls: no Dependabot, no audit gate, no SBOM. - `.github/dependabot.yml`: weekly updates for npm (production/development grouped), GitHub Actions, and Docker (keeps the pinned base-image digest fresh). - `.github/workflows/security.yaml`: - npm audit — hard gate on **critical** advisories in production deps (what actually ships), plus a full informational audit. Production deps currently have 0 critical, so the gate passes; the 4 highs are OpenTelemetry/fast-uri transitives that Dependabot / the Yoga 5 upgrade (#176) will clear. - CycloneDX SBOM generation, uploaded as an artifact. Dependency/image vulnerability scanning (Trivy/Grype) is deferred so the scanner action can be verified separately rather than shipped red — Dependabot (npm + docker) already surfaces vulnerable deps and base images in the meantime. Refs #175. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6 --- .github/dependabot.yml | 26 +++++++++++++++++ .github/workflows/security.yaml | 49 +++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1737ad6 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,26 @@ +version: 2 +updates: + # Application dependencies. Production and development updates are grouped + # separately so security-relevant runtime bumps are easy to review on their own. + - package-ecosystem: npm + directory: '/' + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + production-dependencies: + dependency-type: production + development-dependencies: + dependency-type: development + + # Keep CI action versions current and patched. + - package-ecosystem: github-actions + directory: '/' + schedule: + interval: weekly + + # Keep the pinned base-image digest in the Dockerfile fresh. + - package-ecosystem: docker + directory: '/' + schedule: + interval: weekly diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..d51a485 --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,49 @@ +name: Security + +on: + pull_request: + push: + branches: + - main + schedule: + # Weekly, so advisories on unchanged code are still surfaced. + - cron: '0 6 * * 1' + +permissions: + contents: read + +jobs: + npm-audit: + name: npm audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '20' + - run: npm ci + # Hard gate: fail on critical advisories in what actually ships (prod deps). + - name: Audit production dependencies (gate on critical) + run: npm audit --omit=dev --audit-level=critical + # Informational: surface the full picture (incl. dev tooling) without blocking. + - name: Full audit (informational) + run: npm audit || true + + sbom: + name: SBOM + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Generate CycloneDX SBOM + continue-on-error: true + uses: anchore/sbom-action@v0 + with: + path: . + format: cyclonedx-json + output-file: sbom.cyclonedx.json + - name: Upload SBOM artifact + continue-on-error: true + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.cyclonedx.json