You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add local trufflehog setup and fix CI workflow
- Update security.yml to use official trufflehog GitHub Action instead
of incorrect npm package
- Add section 4 to CONTRIBUTING.md with local security scanning setup
- Update open-source-preparedness.md with current workflow status
Local scan: brew install trufflehog && trufflehog git file://. --no-update --json
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+18-2Lines changed: 18 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,12 +30,28 @@ Database migrations run via `npm run supabase:migration:up`; avoid manual schema
30
30
- The README/SECURITY docs are up to date if your change affects onboarding or security.
31
31
5. After PR review, squash/fixups if needed and merge via “rebase and merge.”
32
32
33
-
## 4. Communication
33
+
## 4. Security scanning
34
+
35
+
CI runs TruffleHog on every push/PR to detect leaked secrets in git history. To run locally:
36
+
37
+
```bash
38
+
# Install via Homebrew (macOS)
39
+
brew install trufflehog
40
+
41
+
# Scan the repo (from project root)
42
+
trufflehog git file://. --no-update --json
43
+
```
44
+
45
+
The scan outputs JSON with `verified_secrets` and `unverified_secrets` counts. A clean run shows `0` for both.
46
+
47
+
**Note:** The Python pip version (`pip install trufflehog`) may fail on macOS due to `.git/FETCH_HEAD` permission issues. Use the Homebrew version instead.
48
+
49
+
## 5. Communication
34
50
35
51
- Use Slack/email for urgent ship-blockers.
36
52
- Report vulnerabilities via `security@bolokonon.dev` (see `SECURITY.md`).
37
53
- Tag `@devakone` on docs or backend changes requiring clarification.
38
54
39
-
## 5. Trademark reminder
55
+
## 6. Trademark reminder
40
56
41
57
The code is Apache 2.0 open-source, but **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are trademarks. Keep the brand names within this repo; if you fork for commercial use, rename your project accordingly.
Copy file name to clipboardExpand all lines: docs/security/open-source-preparedness.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ This doc captures where Vibed Coding stands security-wise today and tracks the r
36
36
### Focus areas they will highlight
37
37
38
38
1.**Secrets.** Scan tools (GitHub Secret Scanning, TruffleHog, Gitleaks) hunt for pasted keys. We already commit no credentials; the next step is the aforementioned history sweep plus optional git hooks to block secrets moving forward.
39
-
2.**Dependency vulnerabilities.**`npm audit`/Dependabot will flag outdated transitive packages; keep `package-lock.json` clean and run `npm audit --audit-level=moderate` in CI before release. Currently the audit flags the moderate `esbuild` advisory (Vite dependency) and there is no upstream fix yet, so we monitor it before every release.
39
+
2.**Dependency vulnerabilities.**`npm audit`/Dependabot will flag outdated transitive packages; keep `package-lock.json` clean and run `npm audit --audit-level=moderate` in CI before release. Currently the audit flags the moderate `esbuild` advisory (Vite dependency); the suggested `npm audit fix --force` would bump vitest to 4.0.17 (breaking change), so we monitor the upstream fix instead of forcing it.
40
40
3.**Configuration mistakes.** Scanners expect permissive CORS or RLS misconfigurations. Our RLS policies (e.g., `supabase/migrations/0007_require_outputs_before_done.sql`, `0013_create_llm_configs.sql`, `0014_create_llm_usage.sql`) already tighten access; document the contract in `SECURITY.md`.
41
41
4.**Input abuse.** API surface areas such as `/api/analysis/[id]/regenerate-story`, `/api/analysis/start`, `/api/settings/llm-keys`, `/api/share/story/[userId]` are rate-limited and origin checked in the server routes; continue logging only to server side and keep error messages generic.
42
42
5.**Data mishandling.** The worker never persists file contents; explain this in `README.md` and `SECURITY.md` so reviewers know commit data remains metadata-only.
@@ -58,6 +58,7 @@ _Local `trufflehog` runs on macOS currently fail due to `git fetch` complaining
58
58
1.**Define legal/governance docs.** Add `README.md`, `LICENSE` (MIT/Apache), `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` that call out required env vars, LLM key handling, and release governance.
59
59
2.**Complete security docs.** Publish `docs/security/` (this file included) plus an author-facing `SECURITY.md` with vulnerability reporting, contact info, and SLA expectations.
60
60
3.**Revise CI.** Add a dedicated OSS workflow that chains `turbo lint`, `npm run build`, `npm run type-check`, `npm audit --audit-level=moderate`, and optional `trufflehog`/`git-secrets` checks.
61
-
4.**Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, and a history audit (`trufflehog`/`git-secrets`). Verify `.env` files remain untracked and update this doc with final readiness notes.
61
+
4.**Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, `npm audit --audit-level=moderate`, and a history audit (`trufflehog`/`git-secrets`). Verify `.env` files remain untracked and update this doc with final readiness notes.
62
+
- The latest security workflow run viewable at [#21257192786 (job 61174948008)](https://github.com/devakone/vibe-coding-profiler/actions/runs/21257192786/job/61174948008?pr=16) currently shows failure because `npm audit` exits non-zero due to the existing moderate `esbuild <=0.24.2` advisory (the audit command is still valuable as it alerts you to that unresolved dependency). The `trufflehog` scan passes once FETCH_HEAD permissions are corrected, so the workflow remains reliable aside from the audit warning we are tracking.
62
63
63
64
Once the checklist is green and the documentation is complete, the repo can be published with confidence that the security posture meets open-source expectations.
0 commit comments