akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
738c5f84ea9ed37282ffb24b91d1e290aa107560
caddy-proxy-manager/.github/dependabot.yml
Claude fdb9ca6786 Add comprehensive security enhancements to build pipeline 
Security Improvements:
- Fork PR Protection: Builds from forks require manual 'safe-to-build' label approval
- Trivy Vulnerability Scanning: Scan all images for CRITICAL/HIGH vulnerabilities
- SHA-Pinned Actions: All GitHub Actions pinned to specific commits for supply chain security
- SBOM Generation: Generate Software Bill of Materials for all builds
- Provenance Attestation: Record build provenance for supply chain verification
- Security Events Upload: Upload scan results to GitHub Security tab
- Platform Optimization: Single-platform builds for PRs for faster feedback

Additional Security:
- Created SECURITY.md with vulnerability reporting process and security practices
- Added Dependabot configuration for automated dependency updates
- Limited permissions model (contents:read, packages:write, security-events:write)
- No registry push from PR builds (load-only for security scanning)

This addresses concerns about malicious PR builds by:
1. Requiring manual approval for fork PRs
2. Scanning all images before they could be pushed
3. Preventing PR builds from pushing to registry
4. Using verified, SHA-pinned actions
2025-11-04 21:29:01 +00:00

80 lines
1.7 KiB
YAML
Raw Blame History

version: 2
updates:
# GitHub Actions updates
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
reviewers:
- "fuomag9"
labels:
- "dependencies"
- "github-actions"
- "security"
commit-message:
prefix: "ci"
include: "scope"
# NPM dependencies updates
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
reviewers:
- "fuomag9"
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "deps"
include: "scope"
# Group non-security updates
groups:
development-dependencies:
dependency-type: "development"
update-types:
- "minor"
- "patch"
production-dependencies:
dependency-type: "production"
update-types:
- "minor"
- "patch"
# Security updates always get their own PR
versioning-strategy: increase
# Docker base images updates
- package-ecosystem: "docker"
directory: "/docker/web"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
reviewers:
- "fuomag9"
labels:
- "dependencies"
- "docker"
- "security"
commit-message:
prefix: "docker"
- package-ecosystem: "docker"
directory: "/docker/caddy"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
reviewers:
- "fuomag9"
labels:
- "dependencies"
- "docker"
- "security"
commit-message:
prefix: "docker"
Reference in New Issue View Git Blame Copy Permalink