Skip to content

Commit 2abbe92

Browse files
nullvariantclaude
andauthored
docs: add FOSSA integration to SECURITY.md (#424)
Add FOSSA license/vulnerability scanning to CI/CD Security section and FOSSA_API_KEY to Secrets Management tables. 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Model-Raw: claude-opus-4-6-20250415 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 43e1645 commit 2abbe92

2 files changed

Lines changed: 4 additions & 1 deletion

File tree

SECURITY.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ This repository contains VS Code extensions with the following security measures
6666
- **Daily Vulnerability Scans**: `npm audit` runs daily via scheduled workflow
6767
- **Fork Protection**: Sensitive workflows skip on fork repositories
6868
- **SAST (Snyk Code)**: [Snyk](https://snyk.io/) runs static analysis; test fixtures are excluded via `.snyk` policy
69+
- **License & Vulnerability Scanning**: [FOSSA](https://app.fossa.com/) runs license compliance, dependency quality, and security analysis on every commit (GitHub App integration)
6970
- **Runtime Security Monitoring**: [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) monitors all workflow runs for suspicious network egress, file access, and process execution
7071

7172
## Security Testing
@@ -94,6 +95,7 @@ This section documents all secrets used in CI/CD workflows.
9495
| VSCE_PAT | VS Code Marketplace publishing | publish.yml, unpublish.yml | Annual | High |
9596
| OVSX_PAT | Open VSX publishing | publish.yml, unpublish.yml | Annual | High |
9697
| SONAR_TOKEN | SonarCloud code analysis | sonarcloud.yml | As needed | Medium |
98+
| FOSSA_API_KEY | FOSSA license/vulnerability scanning | (API access only) | As needed | Medium |
9799
| CLOUDFLARE_API_TOKEN | Cloudflare Pages/R2 deployment | deploy-docs.yml, publish.yml | Annual | High |
98100
| CLOUDFLARE_ACCOUNT_ID | Cloudflare account identifier (public) | deploy-docs.yml, publish.yml | Never | Low (public ID) |
99101
| SLACK_WEBHOOK | Bot monitoring alerts | bot-monitoring.yml | As needed | Medium |
@@ -141,6 +143,7 @@ Marketplace publishing secrets (VSCE_PAT, OVSX_PAT) are protected by the `produc
141143
| OVSX_PAT | Open VSX | [Open VSX Tokens](https://open-vsx.org/user-settings/tokens) | No expiration |
142144
| CLOUDFLARE_API_TOKEN | Cloudflare | [Cloudflare API Tokens](https://dash.cloudflare.com/profile/api-tokens) | No expiration |
143145
| SONAR_TOKEN | SonarCloud | [SonarCloud Security](https://sonarcloud.io/account/security) | No expiration |
146+
| FOSSA_API_KEY | FOSSA | [FOSSA Settings](https://app.fossa.com/account/settings/integrations) | No expiration |
144147
| GitHub App Keys | GitHub | [GitHub Apps](https://github.com/settings/apps) | No expiration |
145148
| SLACK_WEBHOOK | Slack | [Slack Apps](https://api.slack.com/apps) | No expiration |
146149

extensions/git-id-switcher/src/ui/documentationInternal.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ export const DOCUMENT_HASHES: Record<string, string> = {
6262
'GOVERNANCE.md': '806cf32ec9fe9fd964a782927f8eaa7696d408c42d31f554eebd6755bd911c71',
6363
'LICENSE': 'e2383295422577622666fa2ff00e5f03abd8f2772d74cca5d5443020ab23d03d',
6464
'README.md': '2597f0c6fca10b28cacc27696d4753f4d32a5abbb6339615da6144ce269d47bc',
65-
'SECURITY.md': 'f0a9554c55bbf84187bb0d10afaf2591ebf0ffef70e73d212e9ba0d9a4b2bb6e',
65+
'SECURITY.md': 'bbae0e2a679851ea0ede598102c7d809aea11b7bab99ddf6a20f4dde31070c23',
6666
};
6767

6868
/** Supported locales for documentation */

0 commit comments

Comments
 (0)