diff --git a/.github/workflows/security-check.yml b/.github/workflows/security-check.yml new file mode 100644 index 0000000..94b128f --- /dev/null +++ b/.github/workflows/security-check.yml @@ -0,0 +1,54 @@ +# This workflow helps maintain repository security by monitoring for unwanted changes +name: Repository Security Check + +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + +jobs: + security-check: + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Verify repository contains only documentation + run: | + echo "Checking repository contents..." + + # Define allowed file extensions and names + ALLOWED_EXTENSIONS=("*.md" "*.txt" "*.yml" "*.yaml") + ALLOWED_FILES=("LICENSE" ".gitignore") + + # Check if any files have executable permission bits set + EXECUTABLES=$(find . -type f -perm -111 -not -path "./.git/*" -not -path "./.github/*" | wc -l) + + if [ "$EXECUTABLES" -gt 0 ]; then + echo "Error: Executable files found. This repository should only contain documentation." + find . -type f -perm -111 -not -path "./.git/*" -not -path "./.github/*" + exit 1 + fi + + # Build find command with allowed file types + FIND_CMD="find . -type f -not -path \"./.git/*\" -not -path \"./.github/*\"" + for ext in "${ALLOWED_EXTENSIONS[@]}"; do + FIND_CMD="$FIND_CMD -not -name \"$ext\"" + done + for file in "${ALLOWED_FILES[@]}"; do + FIND_CMD="$FIND_CMD -not -name \"$file\"" + done + + # Check for disallowed file types + DISALLOWED=$(eval "$FIND_CMD" | wc -l) + + if [ "$DISALLOWED" -gt 0 ]; then + echo "Warning: Non-documentation files detected:" + eval "$FIND_CMD" + fi + + echo "Repository security check completed successfully." diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fb3934f --- /dev/null +++ b/.gitignore @@ -0,0 +1,27 @@ +# Editor and IDE files +.vscode/ +.idea/ +*.swp +*.swo +*~ +.DS_Store + +# Temporary files +*.tmp +*.temp +/tmp/ + +# Build artifacts (should not exist in this repo, but just in case) +dist/ +build/ +*.o +*.exe +*.dll +*.so +*.dylib + +# Logs +*.log + +# OS generated files +Thumbs.db diff --git a/REPOSITORY_SETTINGS.md b/REPOSITORY_SETTINGS.md new file mode 100644 index 0000000..b133b55 --- /dev/null +++ b/REPOSITORY_SETTINGS.md @@ -0,0 +1,63 @@ +# GitHub Repository Security Settings + +This document provides instructions for configuring high-security settings for this repository. + +## Required Manual Configuration Steps + +The following settings must be configured through the GitHub repository settings UI: + +### 1. Disable Forks + +Navigate to: **Settings → General → Features** + +- [ ] Uncheck "Allow forking" + +### 2. Disable Downloads + +Navigate to: **Settings → General → Features** + +- [ ] Uncheck "Releases" (prevents creating downloadable releases) +- [ ] Consider disabling "Packages" if enabled + +### 3. Branch Protection Rules + +Navigate to: **Settings → Branches → Branch protection rules** + +Create a rule for the `main` branch with the following settings: + +- [ ] Require pull request reviews before merging +- [ ] Dismiss stale pull request approvals when new commits are pushed +- [ ] Require status checks to pass before merging +- [ ] Require branches to be up to date before merging +- [ ] Require conversation resolution before merging +- [ ] Do not allow bypassing the above settings + +### 4. General Security Settings + +Navigate to: **Settings → Code security and analysis** + +- [ ] Enable "Private vulnerability reporting" if available +- [ ] Enable "Dependency graph" +- [ ] Enable "Dependabot alerts" if applicable + +### 5. Access Control + +Navigate to: **Settings → Collaborators and teams** + +- [ ] Review and minimize collaborator access +- [ ] Ensure only authorized users have write access + +## Verification + +After applying these settings, verify: + +1. Visitors cannot fork the repository +2. There are no downloadable releases or archives available +3. Direct pushes to the main branch are blocked +4. Only authorized collaborators can make changes + +## Notes + +- These settings protect the integrity of your profile README +- The repository remains publicly viewable but contributions are restricted +- Changes can only be made by authorized collaborators through pull requests diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e332635 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Repository Purpose + +This repository serves as a personal profile README hosting space. It contains no executable code and is intended solely for displaying extended profile information. + +## Security Configuration + +This repository has been configured with high security settings: + +- **Forks**: Disabled to prevent unauthorized copies +- **Downloads**: Repository downloads should be disabled as there is no distributable content +- **Branch Protection**: Main branch should be protected to prevent unauthorized modifications + +## Reporting Security Issues + +If you discover any security concerns with this repository, please contact the repository owner directly through GitHub. + +## Security Best Practices Applied + +1. No executable code to minimize attack surface +2. Read-only access for general visitors +3. Minimal repository permissions +4. No external dependencies or build processes diff --git a/SECURITY_SETUP.md b/SECURITY_SETUP.md new file mode 100644 index 0000000..cacb84f --- /dev/null +++ b/SECURITY_SETUP.md @@ -0,0 +1,70 @@ +# Security Configuration Guide + +This repository has been configured for high security as a documentation-only profile README host. + +## What's Been Implemented + +### 1. Security Documentation (`SECURITY.md`) +- Documents the repository's security policy +- Explains the purpose and security configuration +- Provides contact information for security concerns + +### 2. Repository Settings Guide (`REPOSITORY_SETTINGS.md`) +- Step-by-step instructions for configuring GitHub repository settings +- Includes checklist for disabling forks and downloads +- Branch protection configuration guidance +- Access control recommendations + +### 3. Automated Security Checks (`.github/workflows/security-check.yml`) +- GitHub Actions workflow that runs on every push and pull request +- Verifies repository contains only documentation files +- Prevents introduction of executable files +- Alerts if unexpected file types are added + +## Required Manual Steps + +**Important:** The following settings MUST be configured manually in the GitHub repository settings: + +1. **Disable Forks** + - Go to: Settings → General → Features + - Uncheck "Allow forking" + +2. **Disable Downloads/Releases** + - Go to: Settings → General → Features + - Uncheck "Releases" + +3. **Configure Branch Protection** + - Go to: Settings → Branches + - Add protection rules for the `main` branch + - Require pull request reviews + - Require status checks to pass + +See `REPOSITORY_SETTINGS.md` for detailed instructions. + +## Security Benefits + +- ✅ No executable code = minimal attack surface +- ✅ Automated monitoring of repository contents +- ✅ Prevention of unauthorized forks (when configured) +- ✅ Protected main branch (when configured) +- ✅ Clear security policy for visitors +- ✅ Documented security practices + +## Verification + +After applying manual settings: +1. Try to fork the repository (should be blocked) +2. Check that no download options are available +3. Attempt to push directly to main (should require PR) +4. Verify GitHub Actions workflow is running + +## Next Steps + +1. Review and apply the manual configuration steps in `REPOSITORY_SETTINGS.md` +2. Monitor the GitHub Actions runs to ensure the security check workflow passes +3. Update the `README.md` with any additional profile information as needed +4. Periodically review security settings to ensure they remain configured correctly + +## Support + +For questions about these security configurations, refer to the individual documentation files or contact the repository owner.