Claude
fdb9ca6786
Security Improvements: - Fork PR Protection: Builds from forks require manual 'safe-to-build' label approval - Trivy Vulnerability Scanning: Scan all images for CRITICAL/HIGH vulnerabilities - SHA-Pinned Actions: All GitHub Actions pinned to specific commits for supply chain security - SBOM Generation: Generate Software Bill of Materials for all builds - Provenance Attestation: Record build provenance for supply chain verification - Security Events Upload: Upload scan results to GitHub Security tab - Platform Optimization: Single-platform builds for PRs for faster feedback Additional Security: - Created SECURITY.md with vulnerability reporting process and security practices - Added Dependabot configuration for automated dependency updates - Limited permissions model (contents:read, packages:write, security-events:write) - No registry push from PR builds (load-only for security scanning) This addresses concerns about malicious PR builds by: 1. Requiring manual approval for fork PRs 2. Scanning all images before they could be pushed 3. Preventing PR builds from pushing to registry 4. Using verified, SHA-pinned actions
1.7 KiB
1.7 KiB