Skip to content

chore(security): add free code scanning and dependency tooling#69

Open
nicolasiscoding wants to merge 1 commit into
AIEraDev:masterfrom
nicolasiscoding:chore/security-scanning
Open

chore(security): add free code scanning and dependency tooling#69
nicolasiscoding wants to merge 1 commit into
AIEraDev:masterfrom
nicolasiscoding:chore/security-scanning

Conversation

@nicolasiscoding

Copy link
Copy Markdown

Closes #68

Summary

Adds a baseline of free, public-repo security and supply-chain tooling. Every tool that emits SARIF reports into the Security › Code scanning tab.

Tool File Purpose
Dependabot .github/dependabot.yml Weekly grouped dependency-update PRs (npm, Cargo, GitHub Actions)
CodeQL .github/workflows/codeql.yml SAST for JS/TS and Rust (build-mode: none, security-extended)
Dependency Review .github/workflows/dependency-review.yml Blocks PRs adding high-severity-vulnerable / bad-license deps
OSV-Scanner .github/workflows/osv-scanner.yml Lockfile vuln scan (npm + Cargo) against the OSV database
OpenSSF Scorecard .github/workflows/scorecard.yml Supply-chain posture score (token perms, pinning, risky patterns)
TruffleHog .github/workflows/secret-scan.yml Verified leaked-credential scanning (Actions log)

Notes / decisions

  • Rust is scanned cheaply: CodeQL v4 supports Rust with build-mode: none, so no FFmpeg/webkit build is needed.
  • Skipped on purpose: Gradle/CocoaPods Dependabot (Capacitor-pinned), and Trivy/Semgrep (would duplicate OSV-Scanner + CodeQL). Easy to add later.
  • Scorecard publish_results: true to enable the public score/badge on this repo's default branch.

Validation

Validated on my fork (nicolasiscoding/Clypra#1): CodeQL (JS/TS + Rust), OSV-Scanner, and TruffleHog all pass.

Two heads-ups, both pre-existing and unrelated to this PR (this branch only adds files under .github/):

  • The existing CI is currently red on master for two reasons: the frontend tests can't resolve the external @clypra/engine package, and cargo clippy -- -D warnings trips a needless_borrow lint at src-tauri/src/commands/export.rs:352. Happy to open a separate PR for the clippy one-liner if useful.
  • Dependency Review needs the repo's Dependency Graph (enabled by default here); it only failed on my fork because forks don't have it.

This PR introduces no application dependencies, only workflow config.

Add a baseline of free, public-repo security tooling:

- Dependabot (npm, Cargo, GitHub Actions) with grouped weekly updates
- CodeQL SAST for JavaScript/TypeScript and Rust (build-mode: none)
- Dependency Review gate on pull requests
- OSV-Scanner lockfile vulnerability scanning (npm + Cargo)
- OpenSSF Scorecard supply-chain posture analysis
- TruffleHog secret scanning

CodeQL, OSV-Scanner, and Scorecard report into the Security > Code
scanning tab via SARIF.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add free code scanning & dependency security tooling (CodeQL, Dependabot, OSV-Scanner, Scorecard)

1 participant