fix: implement security severity policy and enhance CodeQL checks for blocking findings

2026-02-25 15:05:41 +00:00
parent 0917edb863
commit cb16ac05a2
11 changed files with 727 additions and 43 deletions
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -337,6 +337,27 @@ jobs:
          echo "  Low: ${LOW_COUNT}"
          echo "  Total: ${TOTAL_COUNT}"

+      - name: Security severity policy summary
+        if: steps.set-target.outputs.image_name != ''
+        run: |
+          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"
+          MEDIUM_COUNT="${{ steps.vuln-summary.outputs.medium_count }}"
+
+          {
+            echo "## 🔐 Supply Chain Severity Policy"
+            echo ""
+            echo "- Blocking: Critical, High"
+            echo "- Medium: non-blocking by default (report + triage SLA)"
+            echo "- Policy file: .github/security-severity-policy.yml"
+            echo ""
+            echo "Current scan counts: Critical=${CRITICAL_COUNT}, High=${HIGH_COUNT}, Medium=${MEDIUM_COUNT}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          if [[ "${MEDIUM_COUNT}" -gt 0 ]]; then
+            echo "::warning::${MEDIUM_COUNT} medium vulnerabilities found. Non-blocking by policy; create/maintain triage issue with SLA per .github/security-severity-policy.yml"
+          fi
+
      - name: Upload SARIF to GitHub Security
        if: steps.check-artifact.outputs.artifact_found == 'true'
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
@@ -433,10 +454,11 @@ jobs:

          echo "✅ PR comment posted"

-      - name: Fail on critical vulnerabilities
+      - name: Fail on Critical/High vulnerabilities
        if: steps.set-target.outputs.image_name != ''
        run: |
          CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
+          HIGH_COUNT="${{ steps.vuln-summary.outputs.high_count }}"

          if [[ "${CRITICAL_COUNT}" -gt 0 ]]; then
            echo "🚨 Found ${CRITICAL_COUNT} CRITICAL vulnerabilities!"
@@ -444,4 +466,10 @@ jobs:
            exit 1
          fi

-          echo "✅ No critical vulnerabilities found"
+          if [[ "${HIGH_COUNT}" -gt 0 ]]; then
+            echo "🚨 Found ${HIGH_COUNT} HIGH vulnerabilities!"
+            echo "Please review the vulnerability report and address high severity issues before merging."
+            exit 1
+          fi
+
+          echo "✅ No Critical/High vulnerabilities found"