Add CodeQL + Dependabot + SECURITY.md baseline#1
Closed
elkimek wants to merge 1 commit into
Closed
Conversation
CodeQL workflow: - JavaScript-TypeScript analysis on push, PR, weekly cron. - Default query suite (no security-extended) — static-site code surface is small (build-blog.js + inline <script> in HTML pages) and the default queries already cover the XSS-shape findings worth surfacing. - 15-min timeout cap. Dependabot: - github-actions only at monthly cadence. The repo has no package.json at root and the build script uses Node stdlib, so there's no pip / npm surface to track until a real build pipeline lands. SECURITY.md: - Routes vulnerability reports to GitHub Security Advisories. - Calls out the install.sh + sha256 trust assumption explicitly so any supply-chain finding has a clear disclosure path. - Cross-references the app + relay repos for non-site reports. Repo-level toggles enabled out-of-band via gh api: vulnerability alerts, automated security fixes, private vulnerability reporting. Secret scanning + push protection were already on. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Site repo's first security setup. Same pattern as the relay/agents/lab-charts PRs but scoped down for a static-site codebase.
.github/workflows/codeql.yml— JS-TS analysis with the default query suite. Default (notsecurity-extended) because the JS surface is tiny:build-blog.jsruns at build time with no user input, and inline<script>blocks in HTML are the only runtime JS..github/dependabot.yml— github-actions only at monthly cadence. No npm/pip ecosystem because there's no package.json at root.SECURITY.md— new. Calls out theinstall.sh+install.sh.sha256trust assumption explicitly (it's the only network-trust the agent stack relies on).Why this is light vs. the other repos
Static site → small attack surface. The most likely real findings are: XSS via inline
<script>interpolation, an unsafeinnerHTMLinbuild-blog.js, or a supply-chain issue with the install script. The default CodeQL query suite catches the first two; SECURITY.md documents the channel for the third.If a real build pipeline (Astro, Eleventy, etc.) lands later, switch the dependabot config to add the appropriate npm ecosystem and consider bumping CodeQL to
security-extended.Test plan