Skip to content

feat(security): harden workflows, add triage SLAs, patch vulnerabilities #2760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
DerekRoberts merged 7 commits into from
Jun 12, 2026
Merged

feat(security): harden workflows, add triage SLAs, patch vulnerabilities #2760

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
88376c3
feat(security): harden workflows, add triage SLAs, and patch vulnerab…
DerekRoberts Jun 12, 2026
8257b86
chore(workflow): make security scans non-blocking for merge gates
DerekRoberts Jun 12, 2026
797b98e
chore(workflow): remove Trivy container image scanning job
DerekRoberts Jun 12, 2026
d5125a2
fix(security): address PR review comments on triage SLAs and package-…
DerekRoberts Jun 12, 2026
8c3ef86
ci(workflow): wait for backend health check before running integratio…
DerekRoberts Jun 12, 2026
9729ef4
perf(database): remove RANDOM_EXPRESSION to prevent redundant rolling…
DerekRoberts Jun 12, 2026
987c5c5
ci(workflow): add curl timeouts and insecure flags to health check wa…
DerekRoberts Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/ISSUE_TEMPLATE/security-triage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
name: Security Vulnerability Triage
about: Track and triage dependency or container vulnerability remediation.
title: '[SECURITY] CVE-XXX: Package Name - Severity/SLA'
labels: security
assignees: ''
---

## Vulnerability Details
- **CVE ID**:
- **Package**:
- **Vulnerability Link**:
- **CVSS Score**:
- **EPSS Score**:

## SLA Triage
- [ ] Critical (24h)
- [ ] High (1w)
- [ ] Medium (2w)
- [ ] Low (Next scheduled release)

## Remediation Plan
- [ ] Upgrade dependency version
- [ ] Apply code fix / workaround
- [ ] Document exception
20 changes: 19 additions & 1 deletion .github/workflows/reusable-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,25 @@ jobs:
${{ runner.os }}-build-
${{ runner.os }}-

- env:
- name: Wait for backend health check
env:
BASE_URL: https://${{ env.PREFIX }}.${{ env.DOMAIN }}
run: |
echo "Waiting for backend health check at ${BASE_URL}/api/health..."
for i in {1..30}; do
status=$(curl -k --connect-timeout 5 --max-time 10 -s -o /dev/null -w "%{http_code}" "${BASE_URL}/api/health" || true)
if [ "$status" -eq 200 ]; then
echo "Backend is healthy!"
exit 0
fi
echo "Waiting for health check (HTTP $status), retrying in 10s... ($i/30)"
sleep 10
done
echo "ERROR: Backend did not become healthy in time."
exit 1

- name: Run Integration Tests
env:
API_NAME: nest
BASE_URL: https://${{ env.PREFIX }}.${{ env.DOMAIN }}
run: |
Expand Down
9 changes: 9 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,12 @@ Out of the box, this QuickStart repository is hardened to satisfy Level 1 and Le
| **V14.4** | HTTP Secure Headers | Strips identifying `Server` headers and enforces secure HTTP response headers (CSP, HSTS, X-Frame-Options, same-origin, and MIME sniffing blocks). | Configured natively in the frontend [frontend/Caddyfile](file:///home/derek/Repos/quickstart-openshift/frontend/Caddyfile) and verified by weekly OWASP ZAP scans. |
| **V14.4** | Container Hardening | Restricts container execution permissions and prevents host system modifications. | Enforces `readOnlyRootFilesystem: true`, `runAsNonRoot: true`, `allowPrivilegeEscalation: false`, drop all `capabilities`, and default `seccompProfile` in [backend/openshift.deploy.yml](file:///home/derek/Repos/quickstart-openshift/backend/openshift.deploy.yml) and [frontend/openshift.deploy.yml](file:///home/derek/Repos/quickstart-openshift/frontend/openshift.deploy.yml). |
| **V14.4** | Network Segmentation | Controls pod communication, isolating network traffic between frontend, backend, and database tiers. | Hardened [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) defined in [common/openshift.init.yml](file:///home/derek/Repos/quickstart-openshift/common/openshift.init.yml). |

## Vulnerability Triage SLAs

All security issues are triaged using CISA KEV status and CVSS scores:
- **Critical** (CVSS 9.0-10.0 or CISA KEV): Remediation within 24 hours.
- **High** (CVSS 7.0-8.9): Remediation within 1 week.
- **Medium** (CVSS 4.0-6.9): Remediation within 2 weeks.
- **Low** (CVSS 0.0-3.9): Remediation next scheduled release.

12 changes: 6 additions & 6 deletions backend/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 2 additions & 6 deletions common/openshift.database.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,7 @@ parameters:
- name: MEMORY_LIMIT
description: Memory limit for the database container (bounds the pod's working set).
value: 4Gi
- name: RANDOM_EXPRESSION
description: Random expression to make sure deployments update
from: "[a-zA-Z0-9]{32}"
generate: expression

objects:
- apiVersion: apps/v1
kind: StatefulSet
Expand Down Expand Up @@ -71,8 +68,7 @@ objects:
secretKeyRef:
name: ${NAME}-${ZONE}-database
key: database-user
- name: RANDOM_EXPRESSION
value: ${RANDOM_EXPRESSION}

volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
Expand Down
Loading