You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- SECURITY.md: Add CI security checks section and local scanning guide
- open-source-preparedness.md: Update task status to reflect working
local scans, add detailed local TruffleHog setup instructions
- CONTRIBUTING.md: Add cross-reference to detailed security docs
All three docs now consistently document:
- Homebrew installation: brew install trufflehog
- Local scan command: trufflehog git file://. --no-update --json
- CI uses TruffleHog GitHub Action
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,6 +46,8 @@ The scan outputs JSON with `verified_secrets` and `unverified_secrets` counts. A
46
46
47
47
**Note:** The Python pip version (`pip install trufflehog`) may fail on macOS due to `.git/FETCH_HEAD` permission issues. Use the Homebrew version instead.
48
48
49
+
For detailed security posture documentation, see `docs/security/open-source-preparedness.md`.
- The worker analyzes metadata only; PR bodies, code, and file contents are never persisted.
17
-
- Security workflow: `.github/workflows/security.yml` runs `npm audit --audit-level=moderate` and `trufflehog --entropy False` on every PR/push to `develop` and `main`.
18
17
- Trademark note: **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are our registered/common law marks. Please do not reuse them for commercial offerings without permission; the code stays Apache 2.0 open source while the brand remains controlled.
18
+
19
+
## CI security checks
20
+
21
+
The security workflow (`.github/workflows/security.yml`) runs on every PR/push to `develop` and `main`:
Copy file name to clipboardExpand all lines: docs/security/open-source-preparedness.md
+21-5Lines changed: 21 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ This doc captures where Vibed Coding stands security-wise today and tracks the r
23
23
24
24
| Task | Target | Status |
25
25
| --- | --- | --- |
26
-
| Secret history sweep | Run `trufflehog`/`git-secrets` over the full git history; rotate anything flagged before release |🟡 `trufflehog` attempted locally but fetch step failed on macOS (`.git/FETCH_HEAD` permission); CI job runs successfully|
26
+
| Secret history sweep | Run `trufflehog`/`git-secrets` over the full git history; rotate anything flagged before release |✅ Clean scan locally via Homebrew (`brew install trufflehog`); CI uses TruffleHog GitHub Action|
27
27
| Dependency audit | Add `npm audit` (or Dependabot) stage to CI and resolve alerts before GA | 🟢 `npm audit --audit-level=moderate` added; esbuild moderate vulnerability still open (no fix yet) |
28
28
| Core OSS docs | Create `README.md`, `LICENSE`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, and `SECURITY.md` with install/build/attack paths and env var/key rotation notes | ✅ Done |
29
29
| Security workflow | Run `npm audit --audit-level=moderate` + `trufflehog --entropy False` on every PR | ✅ `.github/workflows/security.yml` now executes both jobs |
@@ -48,8 +48,23 @@ This doc captures where Vibed Coding stands security-wise today and tracks the r
48
48
- Keep API hardening (rate limits, origin checks) in place for endpoints noted above.
49
49
- Publish `SECURITY.md` with reporting instructions, expected SLAs, and contact channels.
50
50
- Be prepared to trim history with `git filter-repo` if a past secret resurfaces.
51
-
-
52
-
_Local `trufflehog` runs on macOS currently fail due to `git fetch` complaining about `.git/FETCH_HEAD` permissions; the CI job uses the same command but runs in a clean container and succeeds, so rely on that for release gating. If you need to rerun locally, activate the Python venv (`python3 -m venv .venv && .venv/bin/pip install trufflehog`) and ensure `git fetch` can write to `.git/FETCH_HEAD`._
51
+
### Local TruffleHog setup
52
+
53
+
Install via Homebrew (recommended for macOS):
54
+
55
+
```bash
56
+
brew install trufflehog
57
+
```
58
+
59
+
Run a scan from the repository root:
60
+
61
+
```bash
62
+
trufflehog git file://. --no-update --json
63
+
```
64
+
65
+
A clean scan outputs JSON with `"verified_secrets":0,"unverified_secrets":0`.
66
+
67
+
**Note:** The Python pip version (`pip install trufflehog`) has `.git/FETCH_HEAD` permission issues on macOS. The Homebrew version works without these issues.
53
68
54
69
---
55
70
@@ -58,7 +73,8 @@ _Local `trufflehog` runs on macOS currently fail due to `git fetch` complaining
58
73
1.**Define legal/governance docs.** Add `README.md`, `LICENSE` (MIT/Apache), `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` that call out required env vars, LLM key handling, and release governance.
59
74
2.**Complete security docs.** Publish `docs/security/` (this file included) plus an author-facing `SECURITY.md` with vulnerability reporting, contact info, and SLA expectations.
60
75
3.**Revise CI.** Add a dedicated OSS workflow that chains `turbo lint`, `npm run build`, `npm run type-check`, `npm audit --audit-level=moderate`, and optional `trufflehog`/`git-secrets` checks.
61
-
4.**Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, `npm audit --audit-level=moderate`, and a history audit (`trufflehog`/`git-secrets`). Verify `.env` files remain untracked and update this doc with final readiness notes.
62
-
- The latest security workflow run viewable at [#21257192786 (job 61174948008)](https://github.com/devakone/vibe-coding-profiler/actions/runs/21257192786/job/61174948008?pr=16) currently shows failure because `npm audit` exits non-zero due to the existing moderate `esbuild <=0.24.2` advisory (the audit command is still valuable as it alerts you to that unresolved dependency). The `trufflehog` scan passes once FETCH_HEAD permissions are corrected, so the workflow remains reliable aside from the audit warning we are tracking.
76
+
4.**Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, `npm audit --audit-level=moderate`, and a history audit (`trufflehog`). Verify `.env` files remain untracked and update this doc with final readiness notes.
77
+
-**TruffleHog:** CI uses the official [TruffleHog GitHub Action](https://github.com/trufflesecurity/trufflehog). Local scans run via `brew install trufflehog && trufflehog git file://. --no-update --json`.
78
+
-**npm audit:** The moderate `esbuild <=0.24.2` advisory remains open (vitest dependency); we monitor for upstream fixes rather than forcing breaking changes.
63
79
64
80
Once the checklist is green and the documentation is complete, the repo can be published with confidence that the security posture meets open-source expectations.
0 commit comments