Skip to content

ci: standardize security posture (gitleaks + dependency-review + scorecard, explicit permissions)#576

Merged
CybotTM merged 1 commit into
mainfrom
ci/standardize-security-posture
Jun 17, 2026
Merged

ci: standardize security posture (gitleaks + dependency-review + scorecard, explicit permissions)#576
CybotTM merged 1 commit into
mainfrom
ci/standardize-security-posture

Conversation

@CybotTM

@CybotTM CybotTM commented Jun 17, 2026

Copy link
Copy Markdown
Member

Standardizes the Security workflow to the netresearch posture used by the other repo classes:

  • gitleaks — secret scanning
  • dependency-review — runs on PRs
  • scorecard.yml — OpenSSF supply-chain posture (new file)
  • existing node-audit kept (yarn / high)

Every reusable caller job declares its exact permission union under a top-level permissions: {}, so the token passed to each reusable is explicit and never relies on default_workflow_permissions — making the planned org-wide default→read flip safe. Custom codeql.yml is unchanged.

…rmissions

Bring the Security workflow to the standard netresearch posture: secret
scanning (gitleaks), dependency review on PRs, and OpenSSF Scorecard,
alongside the existing Node.js audit. Every reusable caller job declares
its exact permission union (top-level `permissions: {}`), so the token is
explicit and never relies on the repository default.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/security.yml

PackageVersionLicenseIssue Type
netresearch/.github/.github/workflows/dependency-review.ymlmainNullUnknown License
netresearch/.github/.github/workflows/gitleaks.ymlmainNullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/netresearch/.github/.github/workflows/dependency-review.yml main UnknownUnknown
actions/netresearch/.github/.github/workflows/gitleaks.yml main UnknownUnknown

Scanned Files

  • .github/workflows/security.yml

@CybotTM CybotTM closed this Jun 17, 2026
@CybotTM CybotTM reopened this Jun 17, 2026
@CybotTM CybotTM closed this Jun 17, 2026
@CybotTM CybotTM reopened this Jun 17, 2026
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
3 Security Hotspots

See analysis details on SonarQube Cloud

@CybotTM CybotTM merged commit dac6941 into main Jun 17, 2026
26 of 29 checks passed
@CybotTM CybotTM deleted the ci/standardize-security-posture branch June 17, 2026 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant