feat: add additional security enhancements (Issue #365)

- Add constant-time token comparison utility (crypto/subtle) - Add SBOM generation and attestation to CI/CD pipeline - Document TLS enforcement, DNS security (DoH/DoT), and container hardening - Create Security Incident Response Plan (SIRP) - Add security update notification documentation Security enhancements: - Mitigates timing attacks on invite token validation - Provides supply chain transparency with CycloneDX SBOM - Documents production container hardening (read_only, cap_drop) Closes #365
2025-12-21 19:00:29 +00:00
parent 84a8c1ff11
commit 2dfe7ee241
12 changed files with 1046 additions and 290 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -31,6 +31,8 @@ jobs:
      contents: read
      packages: write
      security-events: write
+      id-token: write      # Required for SBOM attestation
+      attestations: write  # Required for SBOM attestation

    outputs:
      skip_build: ${{ steps.skip.outputs.skip_build }}
@@ -231,6 +233,25 @@ jobs:
          sarif_file: 'trivy-results.sarif'
          token: ${{ secrets.GITHUB_TOKEN }}

+      # Generate SBOM (Software Bill of Materials) for supply chain security
+      - name: Generate SBOM
+        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+          format: cyclonedx-json
+          output-file: sbom.cyclonedx.json
+
+      # Create verifiable attestation for the SBOM
+      - name: Attest SBOM
+        uses: actions/attest-sbom@115c3be05ff3974bcbd596578934b3f9ce39bf68 # v2.2.0
+        if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true'
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          sbom-path: sbom.cyclonedx.json
+          push-to-registry: true
+
      - name: Create summary
        if: steps.skip.outputs.skip_build != 'true'
        run: |