Merge pull request #8 from servrox/supply-chain-sentinel/security-baseline

servrox · web-flow · commit b5ad4da0b312 · 2026-05-15T23:08:20.000+02:00
Add supply-chain security baseline
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,56 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    cooldown:
+      default-days: 7
+    labels:
+      - dependencies
+      - github-actions
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+      github-actions-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 0
+    labels:
+      - dependencies
+      - npm
+    groups:
+      npm-security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "05:10"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 0
+    labels:
+      - dependencies
+      - python
+    groups:
+      pip-security-updates:
+        applies-to: security-updates
+        patterns:
+          - "*"
diff --git a/.github/workflows/security-baseline.yml b/.github/workflows/security-baseline.yml
@@ -0,0 +1,130 @@
+name: Security Baseline
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "37 3 * * 1"
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+
+concurrency:
+  group: security-baseline-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  osv:
+    name: OSV vulnerability scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run OSV-Scanner
+        uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8
+        with:
+          scan-args: |-
+            --recursive
+            ./
+
+  secrets:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run TruffleHog
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
+        with:
+          extra_args: --results=verified,unknown
+          path: ./
+          version: 3.95.3
+
+  workflow-lint:
+    name: GitHub Actions lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          cache: false
+          go-version: stable
+
+      - name: Run actionlint
+        run: |
+          if [ -d .github/workflows ]; then
+            go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 \
+              -ignore 'unknown permission scope "vulnerability-alerts"'
+          fi
+
+  workflow-security:
+    name: GitHub Actions security lint
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: false
+
+      - name: Run zizmor
+        run: |
+          for attempt in 1 2 3; do
+            set +e
+            uvx --from zizmor==1.24.1 zizmor \
+              --persona=auditor \
+              --format=github \
+              --min-severity=high \
+              --min-confidence=medium \
+              --color=always \
+              -- ./
+            status="$?"
+            set -e
+
+            if [ "$status" -eq 0 ]; then
+              exit 0
+            fi
+
+            if [ "$status" -eq 3 ]; then
+              echo "::warning::No inputs were collected by zizmor"
+              exit 0
+            fi
+
+            if [ "$status" -ge 11 ]; then
+              exit "$status"
+            fi
+
+            if [ "$attempt" -lt 3 ]; then
+              sleep "$((attempt * 15))"
+              continue
+            fi
+
+            exit "$status"
+          done
+        env:
+          GH_TOKEN: ${{ github.token }}
