Skip to content

Add security policy, CI pipeline, and branch protection#1

Merged
VV1NN merged 3 commits into
mainfrom
security-hardening
Apr 16, 2026
Merged

Add security policy, CI pipeline, and branch protection#1
VV1NN merged 3 commits into
mainfrom
security-hardening

Conversation

@VV1NN

@VV1NN VV1NN commented Apr 16, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add SECURITY.md with responsible disclosure policy
  • Add GitHub Actions workflow (security.yml) that runs on every push/PR:
    • ShellCheck — lint install.sh for shell script issues
    • gitleaks — scan git history for leaked secrets
    • OpenSSF Scorecard — track project security score over time
  • Branch protection enabled on main:
    • Require pull request with 1 approving review
    • Require ShellCheck + Secret Scanning to pass
    • Dismiss stale reviews on new pushes

Test plan

  • GitHub Actions workflow triggers on this PR
  • ShellCheck passes on install.sh
  • gitleaks reports no secrets
  • Scorecard runs without errors
  • SECURITY.md renders correctly on GitHub

🤖 Generated with Claude Code

- SECURITY.md: responsible disclosure policy with scope definition
- .github/workflows/security.yml: ShellCheck, gitleaks, OpenSSF Scorecard
- Branch protection enabled on main (require PR + review + status checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
Comment thread .github/workflows/security.yml Fixed
VV1NN and others added 2 commits April 16, 2026 11:54
…dling

Review feedback addressed:
- README language changed from "finished product" to honest MVP status
- Added "Known Limitations" section to both READMEs
- Added "Tested With" section with real test results and bugs found
- Added "Requirements" section (frontmatter, git, bash)
- Feature descriptions use "best-effort" / "heuristic" language
- Added error handling rules to SKILL.md (missing frontmatter, empty
  files, non-standard layouts, private repos, shell compatibility)
- Scan scripts now handle missing name/description gracefully with
  fallback to directory name and "(no description available)"
- Fixed repo URL casing: vv1n -> VV1NN throughout
- Moved "How It Works" section before features to set expectations
- Added notes under --check and --diff examples about limitations

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes 7 Scorecard/Pinned-Dependencies alerts from GitHub Code Scanning.
All actions now pinned to exact SHA with version comment:

- actions/checkout@34e1148 (v4)
- ludeeus/action-shellcheck@00cae50 (v2.0.0)
- gitleaks/gitleaks-action@dcedce4 (v2)
- ossf/scorecard-action@ea651e6 (v2.4.1)
- github/codeql-action@865f5f5 (v3)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@VV1NN VV1NN merged commit 58ef606 into main Apr 16, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants