Skip to content

feat(#518): harden framework security scanning (CodeQL + Scorecard + Dependabot + SECURITY.md + release-artifact guard)#523

Merged
atlas-apex merged 1 commit into
devfrom
feature/GH-518-harden-security-scanning
Jun 6, 2026
Merged

feat(#518): harden framework security scanning (CodeQL + Scorecard + Dependabot + SECURITY.md + release-artifact guard)#523
atlas-apex merged 1 commit into
devfrom
feature/GH-518-harden-security-scanning

Conversation

@atlas-apex

@atlas-apex atlas-apex commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Dog-foods the strongest security posture on the framework's own repo — we ship security tooling to adopters, so the public framework repo should run the best free-for-public-repos version of it. Adds the code-expressible half now; the GitHub-native settings are a short operator checklist below.
  • CodeQL (.github/workflows/codeql.yml) — actions + javascript-typescript matrix (CodeQL doesn't analyse bash — that stays on the existing Semgrep r/bash job — but it now covers the GitHub Actions workflows themselves and site/copy-for-ai.js). security-extended queries; results to the Code scanning tab.
  • OSSF Scorecard (.github/workflows/scorecard.yml) + a live README badge — weekly supply-chain posture (branch protection, token scope, pinned actions, dangerous-workflow patterns).
  • Dependabot (.github/dependabot.yml) — github-actions ecosystem weekly. That's the repo's only real dependency surface (no package.json/requirements.txt/go.mod); the config is structured so a future manifest just adds an ecosystem.
  • SECURITY.md — private vulnerability-reporting policy (GitHub private advisories), supported-versions table tied to the release-cut model, scope in/out.
  • Release-artifact content guardextract-subpacks-on-release.yml now scans the built marketplace/ bundle (filesystem, not git history) with gitleaks and placeholder-diffs any bundled onboarding.yaml against onboarding.example.yaml (reusing [Feature] Keep onboarding config out of git: example-file + gitignore + commit-time guard #517's signal), failing the build before publish. Closes the "secrets/config shipped inside a release artifact" gap.

Deliberately NOT added (with reasons)

  • Broadening Semgrep beyond r/bash — the repo has no real JS/TS app source (only a static site/copy-for-ai.js), which CodeQL javascript-typescript now covers. Adding JS Semgrep rulesets would be noise on an empty surface.
  • Full-history secret sweep — already runs: the existing security-scan.yml gitleaks job checks out with fetch-depth: 0 (full history). No new job needed.

⚠️ Operator checklist — GitHub-native settings (can't be set from code)

These are repo Settings toggles, externally-visible on the public repo. Per your call, I did not flip them via gh api; please enable them in Settings → Code security:

  • Secret scanning + Push protection (free for public repos)
  • Code scanning — confirm CodeQL default/advanced setup is enabled (this PR adds the workflow; verify it's not disabled by a default-setup conflict)
  • Dependabot alerts + security updates (the dependabot.yml here covers version updates; alerts are a settings toggle)

#518 stays partially open until the four boxes above are ticked — hence Refs #518, not Closes.

Testing

  1. python3 yaml.safe_load on all four workflow/config files → valid.
  2. actionlint on the three workflows → no errors (only pre-existing shellcheck-style notes in the untouched summary block).
  3. bash -n on the artifact-guard run block (docker + process-substitution idiom) → parses clean.
  4. markdownlint clean on SECURITY.md + the AgDR.
  5. The CodeQL/Scorecard runs themselves will execute once merged (they need the workflows on the default branch / a real run).

Refs #518

Glossary

Term Definition
CodeQL GitHub's semantic code-scanning engine; the actions language scans workflow files, javascript-typescript scans JS/TS.
OSSF Scorecard Open-source supply-chain security posture score (branch protection, token scope, pinned deps, etc.).
Push protection GitHub feature that blocks a push containing a detected secret (a Settings toggle, not a workflow).
Dependabot Automated dependency update PRs (config here) + vulnerability alerts (a Settings toggle).
Release-artifact guard A scan of the built/published bundle — not just source — for secrets and filled-in config.
Placeholder-diff Detecting filled-in config by comparing it against the shipped *.example placeholders (from #517).

@me2resh @claude
feat(#518): harden framework security scanning (code parts)
1677b66 
- CodeQL (.github/workflows/codeql.yml) — actions + javascript-typescript
  (bash stays on Semgrep r/bash); results to code-scanning
- OSSF Scorecard (.github/workflows/scorecard.yml) + README badge
- Dependabot (.github/dependabot.yml) — github-actions ecosystem (the repo's
  only dependency surface; no package manifests)
- SECURITY.md — private vulnerability reporting + supported versions
- Release-artifact content guard: extract-subpacks-on-release.yml now scans the
  built marketplace/ bundle with gitleaks (filesystem) + placeholder-diffs any
  bundled onboarding.yaml vs onboarding.example.yaml (#517), failing pre-publish
- Decision recorded in AgDR-0065

Note: the GitHub-native settings (secret scanning + push protection, code-scanning
default setup, Dependabot alerts) can't be set from code — delivered as an operator
checklist in the PR. Full-history secret sweep already runs via the existing
gitleaks job. This PR closes the code-expressible ACs; the settings ACs stay open.

Refs #518

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-advanced-security

github-advanced-security AI commented Jun 6, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 6, 2026
View reviewed changes
Comment thread .github/workflows/scorecard.yml
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@v2
atlas-apex
atlas-apex commented Jun 6, 2026
View reviewed changes

@atlas-apex atlas-apex left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: PR #523

Commit: 1677b66dd5fc511091eab856e0ba2fcdf75081d1

Summary

Dog-foods the framework repo's own security posture: adds CodeQL (actions + javascript-typescript matrix), OSSF Scorecard + README badge, Dependabot (github-actions ecosystem), SECURITY.md, a release-artifact content guard in extract-subpacks-on-release.yml, and AgDR-0065. The GitHub-native settings half (secret scanning / push protection / Dependabot alerts / code-scanning default-setup) is honestly deferred to an operator checklist, hence Refs #518 not Closes.

Checklist Results

  • Architecture & Design: Pass
  • Code Quality: Pass
  • Testing: Pass (workflows validate; CodeQL actions job already green on this SHA)
  • Security: Pass
  • Performance: Pass (weekly cron + push/PR cadence is conventional)
  • PR Description & Glossary: Pass (6-row glossary, clear deferred-scope disclosure)
  • Summary Bullet Narrative: Pass (every bullet is what + why)
  • Technical Decisions (AgDR): Pass (AgDR-0065 linked; numbering clean — 0063/0064 exist on dev, 0065 is next free)
  • Adopter Handbooks: N/A (no migration files, no domain code, no TS/Py/Go/Rust source in diff)

Issues Found

None.

Verification performed

  1. CodeQL permissions — top-level contents: read, job escalates to security-events: write (required for SARIF upload) + contents: read. Least-privilege, correct. fail-fast: false matrix is right so one language failure doesn't mask the other.
  2. Scorecard permissionssecurity-events: write (upload-sarif) + id-token: write (required for publish_results: true → the README badge) + contents: read. Exactly the documented Scorecard scope, nothing broader. persist-credentials: false on checkout is the recommended Scorecard hardening. Correct.
  3. Dependabot schemaversion: 2, github-actions, directory: "/", weekly/monday, PR limit 5. Valid; github-actions is genuinely the repo's only real dependency surface (no package manifests), and the comment documents the "add an ecosystem when a manifest appears" extension path.
  4. Artifact-guard — gitleaks pinned to ghcr.io/gitleaks/gitleaks:v8.18.4; detect --no-git --source /repo/marketplace --redact --exit-code 1 is the correct filesystem-mode invocation (no git history needed for a built bundle). The placeholder-diff loop uses process substitution < <(find ...), which requires bash — GitHub run: defaults to bash on ubuntu-latest, so this is safe. The [ -f onboarding.example.yaml ] guard degrades gracefully (confirmed the file exists at repo root on this SHA, from #517). diff -q against the example fails the build unless byte-identical to the placeholder — correct semantics.
  5. Honest scope — the deferred items (secret scanning, push protection, code-scanning default-setup, Dependabot alerts) are genuinely GitHub Settings toggles that cannot be expressed in committed files. The "Deliberately NOT added" and "Operator checklist" sections disclose this clearly, and the AgDR's Options table records why the agent did not flip them via gh api (externally-visible admin change, wrong actor). Legitimately not-code; Refs #518 is the correct linkage.
  6. Pinning posture — all actions pinned by tag (@v4/@v3/@v2), matching the existing security-scan.yml convention. Consistent with repo norms.
  7. Commit-message-quality handbook (advisory) — HEAD commit has a substantive multi-bullet body explaining what + why and references the ticket. No finding.

Suggestions (non-blocking)

  • suggestion: Tag-pinning (@v4 etc.) matches repo convention and is fine to merge as-is, but Scorecard's own "Pinned-Dependencies" check will recommend SHA-pinning for the new workflows once it runs. Consider a follow-up to SHA-pin all workflow actions repo-wide to lift that score — best handled as one sweep across every workflow, not piecemeal here.

Verdict

APPROVED

The workflows are correct and least-privilege, the artifact guard's bash idioms are safe under GitHub's default shell, the deferred scope is honestly disclosed as non-code, and AgDR + glossary + narrative summary all check out. CI is green on this SHA (CodeQL actions passed; JS/TS analyze pending is expected first-run behaviour). Author is the maintainer, so submitting as a comment-approval.

🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: 1677b66dd5fc511091eab856e0ba2fcdf75081d1

@atlas-apex atlas-apex merged commit f617039 into dev Jun 6, 2026
6 checks passed
@atlas-apex atlas-apex deleted the feature/GH-518-harden-security-scanning branch June 6, 2026 11:11
@atlas-apex atlas-apex mentioned this pull request Jun 6, 2026
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

github-issue has-ticket

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@atlas-apex @github-advanced-security @me2resh