security: WS49/WS50 supply-chain hardening + docs refresh#2
Merged
Conversation
…+ docs Port the monorepo's supply-chain hardening (WS49/WS50) to this adapter and bring the README up to the documentation standard (setup config, step inputs, config overrides, outputs). WS49 — vulnerability gate: - osv-scanner.toml (documented+dated ignore convention; no ignores) - Makefile 'vuln-scan' target (osv-scanner v2.3.8, pinned) - CI 'osv-scan' job, REPORT-ONLY: initial scan flags stdlib 1.26.3 (GO-2026-5037/-5039, fixed in 1.26.4) -> handed to the WS51 catch-up PR, which bumps the go directive and flips this gate to blocking. WS50 — dependency freshness: - docs/dependency-policy.md (latest major.minor + 7-day cooldown + security bypass) - .github/dependabot.yml (gomod + github-actions, 7-day cooldown, no major-ignore, grouped minor/patch) - Makefile 'deps-outdated'/'deps-majors' targets (pinned go-mod-outdated, gomajor) - non-blocking CI 'deps-report' job Docs/hygiene: - README restructured: Install, Setup config, Step inputs, Config overrides, Outputs - SECURITY.md (reporting + supply-chain controls) - all-checks aggregate gate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the Criteria monorepo's supply-chain hardening (WS49 osv-scanner gate, WS50 dependency-freshness policy) to this adapter repo, and brings the README up to the documentation standard requested by the security architecture team (setup config, step inputs, config overrides, outputs).
This is config/CI/docs only — no product code changes.
WS49 — vulnerability gate
osv-scanner.toml(documented + dated ignore convention; currently no ignores)make vuln-scan(osv-scanner v2.3.8, pinned)osv-scanjob landed report-only: the initial scan flagsstdlib1.26.3 (GO-2026-5037 / GO-2026-5039, fixed in 1.26.4). This is handed to the follow-up WS51 catch-up PR, which bumps thegodirective to 1.26.4 and flips this gate to blocking (dropscontinue-on-error, addsosv-scantoall-checks).WS50 — dependency freshness
docs/dependency-policy.md— latest major.minor + 7-day cooldown + security-bypass.github/dependabot.yml— gomod + github-actions, 7-day cooldown, no major-ignore, grouped minor/patchmake deps-outdated/make deps-majors(pinned go-mod-outdated, gomajor)deps-reportjob (posts drift to the job summary)Docs & hygiene
SECURITY.md(private reporting + supply-chain controls)all-checksaggregate gateNotes
linux/{amd64,arm64},darwin/{amd64,arm64}) was already in place viapublish.yml; verified, no change needed.Test plan
make build/make testgreen locallymake vuln-scanreproduces the single stdlib finding (report-only)shell-specific
criteria-adapter-shell) accidentally committed to the repo; added to.gitignore.