chore: repo-wide security hardening — ZAP, Scorecard, and CodeQL fixes #356
Description
Context
Audit of ZAP DAST scan, OSSF Scorecard, and CodeQL alerts revealed several untracked hardening items. All items below are code-changeable fixes (admin-only settings like rulesets and GitHub security toggles are handled separately).
Acceptance Criteria
Scorecard fixes
- Pin sandbox Dockerfile images by digest —
docker/sandbox/Dockerfileusesnode:22-slimandpython:3.14-slimwithout@sha256:...digests (backend + web Dockerfiles already pinned) - Pin wrangler install by npm hash —
.github/workflows/pages-preview.yml:236usesnpm i --no-save wrangler@3.114.17which Scorecard flags as unpinned npmCommand
ZAP DAST fixes
- Return 404 for unmatched routes —
exception_handlers.pycatchesException(including Litestar'sNotFoundException) and returns 500. Add explicitNotFoundExceptionhandler → 404 - Add
Cross-Origin-Resource-Policy: same-originheader — missing fromapp.pyresponse_headerslist (other security headers already present) - Add
Cache-Controlheaders —/healthand/openapi.jsonhave no cache directives. Addno-storefor health, shortmax-agefor OpenAPI schema - Suppress ZAP auto-created issues — ZAP action creates issue ZAP API Scan Report #355 on every run; set
issue_action: falsein workflow to use artifacts only
CodeQL fixes
- Suppress js/log-injection false positives —
web/src/stores/websocket.ts:92,100already usesanitizeForLog()but CodeQL doesn't recognize it. Add CodeQL suppression comments or a custom.github/codeql/config - Suppress untrusted-checkout alert —
pages-preview.yml:94already mitigated (no secrets,persist-credentials:false). Add CodeQL inline suppression
Notes
- Items already verified as fixed: API key hashing (HMAC-SHA256), CHANGELOG duplicates, CODEOWNERS, backend/web Dockerfile digest pinning
- Admin-only items (rulesets, GitHub security settings) tracked separately
- Existing related issues: security: replace JWT query parameter with one-time ticket for WebSocket auth #343 (WebSocket JWT), feat: add host/IP allowlisting for git clone URLs (SSRF prevention) #221 (SSRF prevention), fix: resolve OpenAPI schema validation warnings for union/optional fields #268 (OpenAPI warnings)