A template repository for bootstrapping secure GitHub projects. Copy these files into a new repo to get baseline security tooling from day one.
| File | Purpose |
|---|---|
.github/workflows/security.yml |
CI pipeline: secret scanning (Gitleaks) + vulnerability/IaC scanning (Trivy) on every push and PR |
.github/dependabot.yml |
Weekly automated dependency updates for GitHub Actions, Terraform, and Docker |
.gitleaks.toml |
Gitleaks configuration; add allowlist entries for test fixtures here |
.trivyignore |
Document accepted CVEs here with justification |
SECURITY.md |
Vulnerability disclosure policy |
.gitignore |
Excludes secrets, Terraform state, and editor noise |
- Click Use this template to create a new repository.
- Update
SECURITY.mdwith your contact details and response SLA. - Enable GitHub Actions in your new repo — the security workflow runs automatically.
- Review
.trivyignoreand.gitleaks.tomland remove any entries that don't apply.
All actions in security.yml are pinned to commit SHAs to prevent supply-chain attacks. Dependabot will open PRs when new versions are available — review and merge those to stay current.