Add comprehensive security enhancements to build pipeline

Security Improvements: - Fork PR Protection: Builds from forks require manual 'safe-to-build' label approval - Trivy Vulnerability Scanning: Scan all images for CRITICAL/HIGH vulnerabilities - SHA-Pinned Actions: All GitHub Actions pinned to specific commits for supply chain security - SBOM Generation: Generate Software Bill of Materials for all builds - Provenance Attestation: Record build provenance for supply chain verification - Security Events Upload: Upload scan results to GitHub Security tab - Platform Optimization: Single-platform builds for PRs for faster feedback Additional Security: - Created SECURITY.md with vulnerability reporting process and security practices - Added Dependabot configuration for automated dependency updates - Limited permissions model (contents:read, packages:write, security-events:write) - No registry push from PR builds (load-only for security scanning) This addresses concerns about malicious PR builds by: 1. Requiring manual approval for fork PRs 2. Scanning all images before they could be pushed 3. Preventing PR builds from pushing to registry 4. Using verified, SHA-pinned actions
2025-11-04 21:29:01 +00:00
parent 6c13692272
commit fdb9ca6786
3 changed files with 231 additions and 8 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,79 @@
+version: 2
+updates:
+  # GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "fuomag9"
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "security"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+
+  # NPM dependencies updates
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "fuomag9"
+    labels:
+      - "dependencies"
+      - "npm"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Group non-security updates
+    groups:
+      development-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+      production-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          - "patch"
+    # Security updates always get their own PR
+    versioning-strategy: increase
+
+  # Docker base images updates
+  - package-ecosystem: "docker"
+    directory: "/docker/web"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "fuomag9"
+    labels:
+      - "dependencies"
+      - "docker"
+      - "security"
+    commit-message:
+      prefix: "docker"
+
+  - package-ecosystem: "docker"
+    directory: "/docker/caddy"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "fuomag9"
+    labels:
+      - "dependencies"
+      - "docker"
+      - "security"
+    commit-message:
+      prefix: "docker"