Skip to content

Commit cd12811

Browse files
devakoneclaude
andcommitted
docs: add local trufflehog setup and fix CI workflow
- Update security.yml to use official trufflehog GitHub Action instead of incorrect npm package - Add section 4 to CONTRIBUTING.md with local security scanning setup - Update open-source-preparedness.md with current workflow status Local scan: brew install trufflehog && trufflehog git file://. --no-update --json Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 686ea44 commit cd12811

3 files changed

Lines changed: 24 additions & 7 deletions

File tree

.github/workflows/security.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,6 @@ jobs:
3333
run: npm audit --audit-level=moderate
3434

3535
- name: Trufflehog git history scan
36-
run: npx trufflehog@latest git --repo-path . --entropy False --json --rules none
37-
env:
38-
TRUFFLEHOG_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
uses: trufflesecurity/trufflehog@main
37+
with:
38+
extra_args: --only-verified

CONTRIBUTING.md

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,28 @@ Database migrations run via `npm run supabase:migration:up`; avoid manual schema
3030
- The README/SECURITY docs are up to date if your change affects onboarding or security.
3131
5. After PR review, squash/fixups if needed and merge via “rebase and merge.”
3232

33-
## 4. Communication
33+
## 4. Security scanning
34+
35+
CI runs TruffleHog on every push/PR to detect leaked secrets in git history. To run locally:
36+
37+
```bash
38+
# Install via Homebrew (macOS)
39+
brew install trufflehog
40+
41+
# Scan the repo (from project root)
42+
trufflehog git file://. --no-update --json
43+
```
44+
45+
The scan outputs JSON with `verified_secrets` and `unverified_secrets` counts. A clean run shows `0` for both.
46+
47+
**Note:** The Python pip version (`pip install trufflehog`) may fail on macOS due to `.git/FETCH_HEAD` permission issues. Use the Homebrew version instead.
48+
49+
## 5. Communication
3450

3551
- Use Slack/email for urgent ship-blockers.
3652
- Report vulnerabilities via `security@bolokonon.dev` (see `SECURITY.md`).
3753
- Tag `@devakone` on docs or backend changes requiring clarification.
3854

39-
## 5. Trademark reminder
55+
## 6. Trademark reminder
4056

4157
The code is Apache 2.0 open-source, but **Vibe Coding Profiler**, **Vibed Coding**, **Vibe Coding Profile**, and **VCP** are trademarks. Keep the brand names within this repo; if you fork for commercial use, rename your project accordingly.

docs/security/open-source-preparedness.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ This doc captures where Vibed Coding stands security-wise today and tracks the r
3636
### Focus areas they will highlight
3737

3838
1. **Secrets.** Scan tools (GitHub Secret Scanning, TruffleHog, Gitleaks) hunt for pasted keys. We already commit no credentials; the next step is the aforementioned history sweep plus optional git hooks to block secrets moving forward.
39-
2. **Dependency vulnerabilities.** `npm audit`/Dependabot will flag outdated transitive packages; keep `package-lock.json` clean and run `npm audit --audit-level=moderate` in CI before release. Currently the audit flags the moderate `esbuild` advisory (Vite dependency) and there is no upstream fix yet, so we monitor it before every release.
39+
2. **Dependency vulnerabilities.** `npm audit`/Dependabot will flag outdated transitive packages; keep `package-lock.json` clean and run `npm audit --audit-level=moderate` in CI before release. Currently the audit flags the moderate `esbuild` advisory (Vite dependency); the suggested `npm audit fix --force` would bump vitest to 4.0.17 (breaking change), so we monitor the upstream fix instead of forcing it.
4040
3. **Configuration mistakes.** Scanners expect permissive CORS or RLS misconfigurations. Our RLS policies (e.g., `supabase/migrations/0007_require_outputs_before_done.sql`, `0013_create_llm_configs.sql`, `0014_create_llm_usage.sql`) already tighten access; document the contract in `SECURITY.md`.
4141
4. **Input abuse.** API surface areas such as `/api/analysis/[id]/regenerate-story`, `/api/analysis/start`, `/api/settings/llm-keys`, `/api/share/story/[userId]` are rate-limited and origin checked in the server routes; continue logging only to server side and keep error messages generic.
4242
5. **Data mishandling.** The worker never persists file contents; explain this in `README.md` and `SECURITY.md` so reviewers know commit data remains metadata-only.
@@ -58,6 +58,7 @@ _Local `trufflehog` runs on macOS currently fail due to `git fetch` complaining
5858
1. **Define legal/governance docs.** Add `README.md`, `LICENSE` (MIT/Apache), `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` that call out required env vars, LLM key handling, and release governance.
5959
2. **Complete security docs.** Publish `docs/security/` (this file included) plus an author-facing `SECURITY.md` with vulnerability reporting, contact info, and SLA expectations.
6060
3. **Revise CI.** Add a dedicated OSS workflow that chains `turbo lint`, `npm run build`, `npm run type-check`, `npm audit --audit-level=moderate`, and optional `trufflehog`/`git-secrets` checks.
61-
4. **Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, and a history audit (`trufflehog`/`git-secrets`). Verify `.env` files remain untracked and update this doc with final readiness notes.
61+
4. **Final checklist.** Before flipping public, run `npm run build`, `npm run lint`, `npm run test`, `npm audit --audit-level=moderate`, and a history audit (`trufflehog`/`git-secrets`). Verify `.env` files remain untracked and update this doc with final readiness notes.
62+
- The latest security workflow run viewable at [#21257192786 (job 61174948008)](https://github.com/devakone/vibe-coding-profiler/actions/runs/21257192786/job/61174948008?pr=16) currently shows failure because `npm audit` exits non-zero due to the existing moderate `esbuild <=0.24.2` advisory (the audit command is still valuable as it alerts you to that unresolved dependency). The `trufflehog` scan passes once FETCH_HEAD permissions are corrected, so the workflow remains reliable aside from the audit warning we are tracking.
6263

6364
Once the checklist is green and the documentation is complete, the repo can be published with confidence that the security posture meets open-source expectations.

0 commit comments

Comments
 (0)