From a170065e26e655fb27e8e9337a1ad494b18d1e5f Mon Sep 17 00:00:00 2001 From: Jeff Otterson <263774940+Jott2121@users.noreply.github.com> Date: Wed, 17 Jun 2026 17:51:33 -0600 Subject: [PATCH] ci: add CodeQL + Dependabot + SECURITY; harden CI (least-priv + SHA-pin) Uniform reliability/security standard, adapted for a docs/case-study repo (no test suite, so no coverage gate): - codeql.yml: security-extended SAST over the published snippets - dependabot.yml: weekly github-actions updates - ci.yml: least-privilege permissions + actions pinned to commit SHAs; existing compile-check + em-dash style gate + advisory markdownlint preserved - SECURITY.md: private vuln disclosure policy (em-dash-free per house style) - README: CodeQL badge Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/ci.yml | 7 +++++-- .github/workflows/codeql.yml | 35 +++++++++++++++++++++++++++++++++++ README.md | 1 + SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ 5 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..165cb5c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + # GitHub Actions — keeps the SHA-pinned actions current + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + groups: + actions: + patterns: ["*"] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4423164..6b054f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,13 +5,16 @@ on: branches: [main] pull_request: +permissions: + contents: read + jobs: checks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..10afb38 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,35 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "27 3 * * 1" # weekly, Monday 03:27 UTC + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (python) + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 + with: + languages: python + queries: security-extended + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3 + with: + category: "/language:python" diff --git a/README.md b/README.md index 73901e2..b9cb8d8 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) [![Python](https://img.shields.io/badge/Python-3.11+-3776AB?logo=python&logoColor=white)](https://www.python.org/) [![CI](https://github.com/Jott2121/bow/actions/workflows/ci.yml/badge.svg)](https://github.com/Jott2121/bow/actions/workflows/ci.yml) +[![CodeQL](https://github.com/Jott2121/bow/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jott2121/bow/actions/workflows/codeql.yml) [![private test suite](https://img.shields.io/badge/private%20test%20suite-382%20tests%20(June%202026)-informational.svg)](docs/CASE-STUDY.md) [![built with](https://img.shields.io/badge/built%20with-Claude%20Opus%204.8-blueviolet.svg)](docs/FLEET-MODE.md) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..cac25f9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Supported versions + +This repository is a sanitized public case study and a small set of illustrative +code snippets. Fixes target the latest version on the `main` branch. + +| Version | Supported | +| ---------------- | --------- | +| latest (`main`) | yes | +| older tags | no | + +## Reporting a vulnerability + +Please do not open a public issue for security vulnerabilities. + +Report privately through GitHub's +[Report a vulnerability](https://github.com/Jott2121/bow/security/advisories/new) +flow (the repository's Security and Advisories tab). I aim to acknowledge reports +within 72 hours and to ship a fix or mitigation for confirmed issues as quickly +as is practical. + +When reporting, please include: + +- a description of the issue and its impact, +- steps to reproduce (a minimal proof of concept if possible), and +- any suggested remediation. + +## Scope + +The published snippets are illustrative (resilience, scheduling, single writer +dispatch). Findings of interest include unsafe file or process handling in the +snippets and supply chain risks in CI. This repository pins its GitHub Actions to +commit SHAs and runs CodeQL and Dependabot to reduce that surface. + +Thanks for helping keep it solid.