docs: add commit signing and Socket.dev to CLAUDE.md and SECURITY.md

Aureliolo · Aureliolo · commit e2959cd92f76 · 2026-03-13T15:03:00.000+01:00
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -39,12 +39,13 @@ This project is designed to handle LLM API keys, sandboxed code execution, and a
 - **Secret scanning** and **push protection** enabled on the repository
 - **Gitleaks** pre-commit hook prevents committing secrets locally + weekly CI workflow
 
-### Dependency Scanning
+### Dependency & Supply Chain Scanning
 
 - **Dependabot** monitors dependencies for known vulnerabilities (daily, uv + github-actions + docker)
 - **Dependency review** runs on every pull request (license allow-list, PR comment summaries)
 - **pip-audit** scans Python dependencies for known vulnerabilities (every PR + weekly scheduled workflow)
 - **npm audit** scans Node.js dependencies for known vulnerabilities (every PR, critical + high severity)
+- **Socket.dev** GitHub App detects supply chain attacks on PRs (typosquatting, malware, suspicious ownership changes, obfuscated code)
 
 ### Container & Infrastructure Security
 
@@ -61,6 +62,7 @@ This project is designed to handle LLM API keys, sandboxed code execution, and a
 - All workflow actions pinned by full SHA with version comments
 - `permissions: {}` at workflow level with least-privilege per job
 - `persist-credentials: false` on all `actions/checkout` steps
+- **Signed commits** required on `main` via branch protection
 
 ### Dynamic Application Security Testing (DAST)
 
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -181,6 +181,7 @@ web/              # Vue 3 + PrimeVue + Tailwind CSS dashboard
 
 - **Commits**: `<type>: <description>` — types: feat, fix, refactor, docs, test, chore, perf, ci
 - **Enforced by**: commitizen (commit-msg hook)
+- **Signed commits**: required on `main` via branch protection — all commits must be GPG/SSH signed
 - **Branches**: `<type>/<slug>` from main
 - **Pre-commit hooks**: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting)
 - **Pre-push hooks**: mypy type-check + pytest unit tests (fast gate before push, skipped in CI — dedicated jobs already run these)
@@ -228,6 +229,7 @@ web/              # Vue 3 + PrimeVue + Tailwind CSS dashboard
 - **Workflow security**: `.github/workflows/zizmor.yml` — zizmor static analysis of GitHub Actions workflows on push to main and PRs (triggers only when workflow files change), SARIF upload to Security tab on push events only (fork PRs lack `security-events: write`)
 - **OSSF Scorecard**: `.github/workflows/scorecard.yml` — supply chain maturity scoring on push to main + weekly schedule. SARIF upload to Security tab. Contributes to OpenSSF ecosystem data via `publish_results: true`.
 - **DAST**: `.github/workflows/dast.yml` — ZAP API scan against the backend OpenAPI spec on push to main + weekly schedule. Builds backend image locally, starts container, runs ZAP, uploads SARIF to Security tab. Not on PRs (too slow).
+- **Socket.dev**: GitHub App — supply chain attack detection on PRs (typosquatting, malware, suspicious ownership changes, obfuscated code). No config file needed, auto-comments on PRs.
 - **Release**: `.github/workflows/release.yml` — Release Please (Google) auto-creates a release PR on every push to main. Merging the release PR creates a git tag (`vX.Y.Z`) + GitHub Release with changelog. Tag push triggers the Docker workflow to build version-tagged images. Uses `RELEASE_PLEASE_TOKEN` secret (PAT/GitHub App token) so tag creation triggers downstream workflows (GITHUB_TOKEN cannot). Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`.
 
 ## Dependencies
