Skip to content

Commit 1876844

Browse files
authored
feat(security): harden workflows, add triage SLAs, patch vulnerabilities (#2760)
1 parent 7c54e75 commit 1876844

5 files changed

Lines changed: 61 additions & 13 deletions

File tree

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
name: Security Vulnerability Triage
3+
about: Track and triage dependency or container vulnerability remediation.
4+
title: '[SECURITY] CVE-XXX: Package Name - Severity/SLA'
5+
labels: security
6+
assignees: ''
7+
---
8+
9+
## Vulnerability Details
10+
- **CVE ID**:
11+
- **Package**:
12+
- **Vulnerability Link**:
13+
- **CVSS Score**:
14+
- **EPSS Score**:
15+
16+
## SLA Triage
17+
- [ ] Critical (24h)
18+
- [ ] High (1w)
19+
- [ ] Medium (2w)
20+
- [ ] Low (Next scheduled release)
21+
22+
## Remediation Plan
23+
- [ ] Upgrade dependency version
24+
- [ ] Apply code fix / workaround
25+
- [ ] Document exception

.github/workflows/reusable-tests.yml

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,25 @@ jobs:
3636
${{ runner.os }}-build-
3737
${{ runner.os }}-
3838
39-
- env:
39+
- name: Wait for backend health check
40+
env:
41+
BASE_URL: https://${{ env.PREFIX }}.${{ env.DOMAIN }}
42+
run: |
43+
echo "Waiting for backend health check at ${BASE_URL}/api/health..."
44+
for i in {1..30}; do
45+
status=$(curl -k --connect-timeout 5 --max-time 10 -s -o /dev/null -w "%{http_code}" "${BASE_URL}/api/health" || true)
46+
if [ "$status" -eq 200 ]; then
47+
echo "Backend is healthy!"
48+
exit 0
49+
fi
50+
echo "Waiting for health check (HTTP $status), retrying in 10s... ($i/30)"
51+
sleep 10
52+
done
53+
echo "ERROR: Backend did not become healthy in time."
54+
exit 1
55+
56+
- name: Run Integration Tests
57+
env:
4058
API_NAME: nest
4159
BASE_URL: https://${{ env.PREFIX }}.${{ env.DOMAIN }}
4260
run: |

SECURITY.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,12 @@ Out of the box, this QuickStart repository is hardened to satisfy Level 1 and Le
2929
| **V14.4** | HTTP Secure Headers | Strips identifying `Server` headers and enforces secure HTTP response headers (CSP, HSTS, X-Frame-Options, same-origin, and MIME sniffing blocks). | Configured natively in the frontend [frontend/Caddyfile](file:///home/derek/Repos/quickstart-openshift/frontend/Caddyfile) and verified by weekly OWASP ZAP scans. |
3030
| **V14.4** | Container Hardening | Restricts container execution permissions and prevents host system modifications. | Enforces `readOnlyRootFilesystem: true`, `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, drop all `capabilities`, and default `seccompProfile` in [backend/openshift.deploy.yml](file:///home/derek/Repos/quickstart-openshift/backend/openshift.deploy.yml) and [frontend/openshift.deploy.yml](file:///home/derek/Repos/quickstart-openshift/frontend/openshift.deploy.yml). |
3131
| **V14.4** | Network Segmentation | Controls pod communication, isolating network traffic between frontend, backend, and database tiers. | Hardened [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) defined in [common/openshift.init.yml](file:///home/derek/Repos/quickstart-openshift/common/openshift.init.yml). |
32+
33+
## Vulnerability Triage SLAs
34+
35+
All security issues are triaged using CISA KEV status and CVSS scores:
36+
- **Critical** (CVSS 9.0-10.0 or CISA KEV): Remediation within 24 hours.
37+
- **High** (CVSS 7.0-8.9): Remediation within 1 week.
38+
- **Medium** (CVSS 4.0-6.9): Remediation within 2 weeks.
39+
- **Low** (CVSS 0.0-3.9): Remediation next scheduled release.
40+

backend/package-lock.json

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

common/openshift.database.yml

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,7 @@ parameters:
1919
- name: MEMORY_LIMIT
2020
description: Memory limit for the database container (bounds the pod's working set).
2121
value: 4Gi
22-
- name: RANDOM_EXPRESSION
23-
description: Random expression to make sure deployments update
24-
from: "[a-zA-Z0-9]{32}"
25-
generate: expression
22+
2623
objects:
2724
- apiVersion: apps/v1
2825
kind: StatefulSet
@@ -71,8 +68,7 @@ objects:
7168
secretKeyRef:
7269
name: ${NAME}-${ZONE}-database
7370
key: database-user
74-
- name: RANDOM_EXPRESSION
75-
value: ${RANDOM_EXPRESSION}
71+
7672
volumeMounts:
7773
- name: data
7874
mountPath: /var/lib/postgresql/data

0 commit comments

Comments
 (0)