feat: add OpenSSF Baseline Level 1 security foundations

ako · claude · ako · commit bed4244caaa8 · 2026-03-30T11:13:44.000Z
- SECURITY.md: vulnerability reporting policy via GitHub Security Advisories - dependabot.yml: automated dependency updates for Go modules, GitHub Actions, and npm (VS Code extension) - govulncheck: Go vulnerability scanning added to CI pipeline Toward #55 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,33 @@
+version: 2
+updates:
+  # Go modules
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "deps"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "ci"
+    labels:
+      - dependencies
+      - ci
+
+  # npm (VS Code extension)
+  - package-ecosystem: npm
+    directory: /vscode-mdl
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "deps"
+    labels:
+      - dependencies
diff --git a/.github/workflows/push-test.yml b/.github/workflows/push-test.yml
@@ -24,6 +24,10 @@ jobs:
         timeout-minutes: 30
       - name: Lint Go
         run: make lint-go
+      - name: Vulnerability scan
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
       - name: Check MDL example scripts
         run: |
           FAILED=0
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,41 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, please use one of the following methods:
+
+1. **GitHub Security Advisories** (preferred): [Report a vulnerability](https://github.com/mendixlabs/mxcli/security/advisories/new)
+2. **Email**: Send details to the repository maintainers via the email addresses listed in their GitHub profiles
+
+### What to include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Affected versions
+- Potential impact
+- Suggested fix (if any)
+
+### What to expect
+
+- **Acknowledgment** within 3 business days
+- **Assessment** within 10 business days
+- **Fix or mitigation** for confirmed vulnerabilities, coordinated with you before public disclosure
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| Latest release | Yes |
+| Nightly builds | Best-effort |
+| Older releases | No |
+
+## Security Practices
+
+- Dependencies are monitored via Dependabot
+- Go vulnerabilities are scanned with `govulncheck` in CI
+- CycloneDX SBOM is available via `make sbom`
+- Release binaries are built with `CGO_ENABLED=0` (no C dependencies)
