Security¶

This document outlines security practices in the template.

Checks¶

Key security checks include:

• Commit validation: Enforced signature and DCO sign-off (siderolabs/conform ⧉)

• Branch protection: No direct commits to main (pre-commit/pre-commit-hooks ⧉)

• Vulnerability scanning: google/osv-scanner ⧉

• Secret scanning: trufflesecurity/trufflehog ⧉

• Language-specific security checks:

  • zizmor ⧉ for GitHub Actions security
  • semgrep/semgrep ⧉ for Python/general

• Pinned dependencies: OSSF Scorecard ⧉

GitHub Actions¶

Security measures:

• Automated dependency updates: renovatebot/renovate ⧉
• Minimal permissions for GitHub Actions
• Software Bill of Materials (SBOMs): Generated, stored, and attested in releases
• Reusable workflows for key tasks (e.g., release, test) to minimize misconfiguration risks (more info ⧉)
• Egress monitoring: stepsecurity/harden-runner ⧉
• Static analysis: actionlint ⧉

Security documents¶

Following Open Source Security Foundation best practices ⧉:

• Security policy: SECURITY.md ⧉
• Machine-readable security insights: SECURITY-INSIGHTS.yml ⧉
• Third-party dependency policy: SECURITY-DEPENDENCY.md
• Self-assessment report: SECURITY-SELF-ASSESSMENT.md per CNCF guidelines ⧉
• Changelog: CHANGELOG.md linking to GitHub releases (FAQ)

Adjustments¶

Most security configurations (e.g., check-security, check-workflow) are in pyproject.toml. Additional security workflows are in .github/workflows (prefix: security-).

OSV Scanner¶

To ignore specific vulnerabilities, modify osv-scanner.toml (docs ⧉).

Conform¶

siderolabs/conform ⧉ enforces DCO sign-off and GPG signatures. Modify .conform.yml to adjust checks.

Additional resources¶

• Threat Modeling Manifesto ⧉
• CNCF Tag Security ⧉
• AppSec Tools ⧉