Skip to content

Harden CI/security: CodeQL + Dependabot + coverage gate + SECURITY#1

Merged
Jott2121 merged 1 commit into
mainfrom
harden/ci-security
Jun 17, 2026
Merged

Harden CI/security: CodeQL + Dependabot + coverage gate + SECURITY#1
Jott2121 merged 1 commit into
mainfrom
harden/ci-security

Conversation

@Jott2121

Copy link
Copy Markdown
Owner

Applies the uniform reliability/security standard (proven on agent-gate). Adapted for this repo's shape: tests live in scripts/, so coverage targets the receipt-writer script (test files omitted), and Dependabot covers github-actions only (no pip manifest here).

Added

  • CodeQL (security-extended) → Security tab
  • Dependabot — weekly github-actions
  • Coverage gate--cov=scripts --cov-fail-under=85 on Python 3.11–3.12 (measured 92% on append_receipt.py) + self-contained coverage badge/PR-comment
  • SECURITY.md — private disclosure policy
  • Supply-chain — least-privilege permissions:; Actions pinned to commit SHAs
  • README — first badge row + Reliability & security section

Verified locally

pytest scripts/ --cov=scripts --cov-fail-under=85 → pass 92%, 10 tests · coverage-json clean · YAML valid.

🤖 Generated with Claude Code

…o SHAs

Uniform reliability/security standard (template proven on agent-gate):
- codeql.yml: security-extended SAST on push/PR/weekly
- dependabot.yml: weekly github-actions updates (no pip manifest in this repo)
- ci.yml: coverage gate on the receipt-writer script (--cov=scripts --cov-fail-under=85;
  92% covered, test files omitted via .coveragerc) + self-contained coverage badge job;
  least-priv perms; SHA-pinned actions
- SECURITY.md: private vuln disclosure policy
- README: first badge row (CI/CodeQL/coverage/license/python) + Reliability & security

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Coverage report

This PR does not seem to contain any modification to coverable code.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Jott2121 Jott2121 merged commit 9cf0279 into main Jun 17, 2026
5 checks passed
@Jott2121 Jott2121 deleted the harden/ci-security branch June 17, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants