Skip to content

Commit 0da8c86

Browse files
author
hallelx2
committed
Harden security layer: Semgrep (OWASP/CWE) + OSV-Scanner + govulncheck + Dependabot (HAL-303)
- security.reusable.yml: add Semgrep (p/owasp-top-ten, p/cwe-top-25), OSV-Scanner (cross-ecosystem CVEs), govulncheck (Go CVEs on real call paths); keep gitleaks/gosec/Trivy - .github/dependabot.yml: gomod + npm + actions weekly dependency-CVE PRs - security-reviewer agent + instructions: review against OWASP Top 10 + CWE Top 25 - sync dependabot.yml into all repos Synced AI-review standards from hallelx2/dev-standards.
1 parent 2afc572 commit 0da8c86

1 file changed

Lines changed: 24 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Dependency CVE automation. Dependabot opens PRs for vulnerable/outdated deps.
2+
# Ecosystems with no manifest in a given repo are simply skipped.
3+
# Also enable per repo: Settings → Code security → Dependabot alerts + security updates.
4+
version: 2
5+
updates:
6+
- package-ecosystem: github-actions
7+
directory: "/"
8+
schedule:
9+
interval: weekly
10+
labels: [dependencies, security]
11+
12+
- package-ecosystem: gomod
13+
directory: "/"
14+
schedule:
15+
interval: weekly
16+
open-pull-requests-limit: 5
17+
labels: [dependencies, security]
18+
19+
- package-ecosystem: npm
20+
directory: "/"
21+
schedule:
22+
interval: weekly
23+
open-pull-requests-limit: 5
24+
labels: [dependencies, security]

0 commit comments

Comments
 (0)