Skip to content

chore: add GitHub security governance#2

Merged
27Bslash6 merged 5 commits intomainfrom
chore/github-security-governance
Dec 11, 2025
Merged

chore: add GitHub security governance#2
27Bslash6 merged 5 commits intomainfrom
chore/github-security-governance

Conversation

@27Bslash6
Copy link
Copy Markdown
Contributor

@27Bslash6 27Bslash6 commented Dec 11, 2025

Summary

Adds security governance infrastructure for the OSS repository:

  • CODEOWNERS: Auto-assign reviewers, security team required for Rust/serializers/workflows
  • Dependabot: Weekly auto-updates for Python, Rust, and GitHub Actions
  • CodeQL: SAST scanning with security-extended queries, SARIF uploads
  • PR Template: Security checklist, dependency review, backward compat sections
  • detect-secrets: Pre-commit hook to prevent credential leaks
  • Release-please: Optional GitHub App token for branch protection bypass

Security Features Enabled (via API)

Feature Status
Secret scanning Enabled
Push protection Enabled
Dependabot alerts Enabled
Dependabot security updates Enabled

Test Plan

  • All YAML files validated
  • Pre-commit hooks pass
  • detect-secrets baseline includes test fixtures (no false positives)

@27Bslash6
chore: add detect-secrets pre-commit hook
922ac1e 
Prevents credential leaks before commit:
- Yelp detect-secrets with baseline file
- Excludes lock files and test fixtures
- 28 secret pattern detectors enabled
@27Bslash6
chore: add dependabot for automated dependency updates
5ac9f92 
Weekly updates for:
- GitHub Actions (grouped minor/patch)
- Python pip dependencies (grouped by type)
- Rust Cargo dependencies (security team review)
@27Bslash6
ci: add CodeQL SAST workflow
29dedd1 
Static analysis for security vulnerabilities:
- Python analysis with security-extended queries
- Runs on push, PR, and weekly schedule
- SARIF results uploaded to Security tab + artifacts
@27Bslash6
docs: enhance PR template with security checklist
9387148 
Added sections:
- Security checklist (secrets, input validation, OWASP)
- Dependency review requirements
- Backward compatibility checklist
- Performance change documentation
@27Bslash6
ci: add GitHub App token support for release-please
779e630 
Enables optional GitHub App auth for branch protection bypass:
- Falls back to GITHUB_TOKEN if APP_ID/APP_PRIVATE_KEY not set
- Controlled via USE_APP_TOKEN repository variable
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Dec 11, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@27Bslash6 27Bslash6 merged commit 9de54a5 into main Dec 11, 2025
14 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@27Bslash6 @github-advanced-security