Context
Track: B — Org/infrastructure governance
Pillar: 6 — Enterprise Governance & Observability
Parent: (see GitHub Actions platform security parent)
Why top-down governance
Individual workflow hygiene (SHA pinning, permissions: blocks) degrades without enforcement. Developers rotate, repos multiply, and without org-level policies the standards drift. Governance closes the gap between what the standards say and what actually runs in production.
1. Org rulesets
Rulesets replace branch protection rules with centrally managed, inheritance-aware policies applied from the org level to all repos.
Required workflows
Enforce that every repo runs the Sparkgeo security baseline without the repo needing to opt in:
Org Settings → Rules → Rulesets → New ruleset → Require workflows
Required workflows:
sparkgeo/github-actions/.github/workflows/secrets-precommit.yml@main (cross-ref #23)
sparkgeo/github-actions/.github/workflows/secrets-scan.yml@main (cross-ref #24)
sparkgeo/github-actions/.github/workflows/workflow-lint.yml@main (cross-ref #25)
This means no PR can merge to main in any Sparkgeo repo without passing secrets detection and workflow linting — even if the consuming repo's own .github/workflows/ does not call them.
Actor rules
Restrict who can trigger workflows with elevated permissions:
- External contributors: require maintainer approval before any workflow runs
- Fork PRs: block access to secrets and write tokens by default (GitHub default since 2021 — verify it is still set)
Event rules
Audit and restrict which trigger events are permitted across the org:
2. Actions audit log → SIEM
GitHub emits an audit log event for every workflow trigger, secret access, and permission change. Route this to the Wazuh SIEM (cross-ref Step 9 in secops.md) for correlation with other security signals.
GitHub → Wazuh integration
GitHub Org Settings → Audit log → Log streaming → Configure
Endpoint: https://wazuh-manager/github-audit
Content type: application/x-ndjson
Events: workflow_run, secret_access, org.*, repo.*
Alert rules to configure in Wazuh
| Event |
Alert trigger |
workflow_run with pull_request_target from fork |
Immediate — potential privileged workflow abuse |
secret.access outside business hours |
Medium — potential credential misuse |
org.add_member |
Informational — new org member |
workflow_run failure spike (>5 in 10 min) |
Medium — possible pipeline disruption attempt |
repo.create with Actions enabled |
Informational — new repo in scope |
3. OpenSSF Scorecard
Scorecard automatically evaluates the sparkgeo/github-actions repo against 20 security checks (Branch-Protection, Pinned-Dependencies, Token-Permissions, Dangerous-Workflow, etc.) and publishes results to the OpenSSF dashboard.
# .github/workflows/scorecard.yml (on sparkgeo/github-actions itself)
name: OpenSSF Scorecard
on:
schedule:
- cron: '0 6 * * 1' # weekly Monday
push:
branches: [main]
jobs:
analysis:
uses: ossf/scorecard-action@main
with:
results_format: sarif
publish_results: true
permissions:
security-events: write
id-token: write
contents: readTarget score: ≥ 8.0 / 10.0 for sparkgeo/github-actions. Failing checks surface in the GitHub Security tab as SARIF findings.
4. Dependency review enforcement
GitHub's native dependency review action blocks PRs that introduce dependencies with known CVEs — complements the scanner workflows (#5–#7) with a fast, zero-config gate:
# Add to required workflows ruleset (org-level)
sparkgeo/github-actions/.github/workflows/dependency-review.yml@main
# dependency-review.yml
- uses: actions/dependency-review-action@main
with:
fail-on-severity: critical
deny-licenses: GPL-2.0, AGPL-3.0 # adjust to Sparkgeo license policyAcceptance criteria
Context
Track: B — Org/infrastructure governance
Pillar: 6 — Enterprise Governance & Observability
Parent: (see GitHub Actions platform security parent)
Why top-down governance
Individual workflow hygiene (SHA pinning,
permissions:blocks) degrades without enforcement. Developers rotate, repos multiply, and without org-level policies the standards drift. Governance closes the gap between what the standards say and what actually runs in production.1. Org rulesets
Rulesets replace branch protection rules with centrally managed, inheritance-aware policies applied from the org level to all repos.
Required workflows
Enforce that every repo runs the Sparkgeo security baseline without the repo needing to opt in:
Org Settings → Rules → Rulesets → New ruleset → Require workflows
This means no PR can merge to
mainin any Sparkgeo repo without passing secrets detection and workflow linting — even if the consuming repo's own.github/workflows/does not call them.Actor rules
Restrict who can trigger workflows with elevated permissions:
Event rules
Audit and restrict which trigger events are permitted across the org:
pull_request_targetandworkflow_run: require documented threat model (enforced viazizmorin feat: workflow authoring standards + actionlint/zizmor gate #25; governance sets the expectation)workflow_dispatchwithinputscontaining sensitive values: discouraged in favour of environment secrets2. Actions audit log → SIEM
GitHub emits an audit log event for every workflow trigger, secret access, and permission change. Route this to the Wazuh SIEM (cross-ref Step 9 in secops.md) for correlation with other security signals.
GitHub → Wazuh integration
Alert rules to configure in Wazuh
workflow_runwithpull_request_targetfrom forksecret.accessoutside business hoursorg.add_memberworkflow_runfailure spike (>5 in 10 min)repo.createwith Actions enabled3. OpenSSF Scorecard
Scorecard automatically evaluates the
sparkgeo/github-actionsrepo against 20 security checks (Branch-Protection, Pinned-Dependencies, Token-Permissions, Dangerous-Workflow, etc.) and publishes results to the OpenSSF dashboard.Target score: ≥ 8.0 / 10.0 for
sparkgeo/github-actions. Failing checks surface in the GitHub Security tab as SARIF findings.4. Dependency review enforcement
GitHub's native dependency review action blocks PRs that introduce dependencies with known CVEs — complements the scanner workflows (#5–#7) with a fast, zero-config gate:
Acceptance criteria
sparkgeo/*repos (secrets detection + workflow lint)sparkgeo/github-actions; score ≥ 8.0