Skip to content

Commit 2506e67

Browse files
fedorovclaude
andcommitted
docs(security): record the repo-level security settings
Enabled on the repository (Settings -> Code security), alongside the secret-scanning work in this PR: - Dependabot alerts + automated security updates. pip-audit only fails a PR whose deps already carry a CVE; a CVE disclosed after merge went unnoticed until someone looked. Security updates are the repo setting, not dependabot.yml -- that file schedules weekly *version* updates. These are server-side settings, invisible in any diff, so they can be switched off without review. SECURITY.md is now the record that they are meant to be on, with the gh command to verify. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent f14be98 commit 2506e67

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,12 @@ exhaustion) rather than data disclosure. Full rationale and the guarded-SQL thre
3838
(Cloud Run's own request log already has caller IP, correlatable by timestamp).
3939
- **CI checks** on every PR: `ruff` (lint + format), `bandit` (static security lint), `pip-audit`
4040
(dependency CVEs), `gitleaks` (committed credentials), and the `tests` suite.
41+
- **Dependency vulnerabilities, caught twice.** `pip-audit` fails CI on a PR whose dependencies
42+
carry a known CVE, and **Dependabot alerts + automated security updates** are enabled on the
43+
repository, so a CVE disclosed *after* a PR merges still opens a fix PR against `main` rather
44+
than waiting for someone to notice. [dependabot.yml](.github/dependabot.yml) separately schedules
45+
weekly grouped *version* updates for the `uv` and `github-actions` ecosystems; security updates
46+
are the repo setting, not that file, and are ungrouped so a fix ships on its own.
4147
- **Credential hygiene, in three layers.** The service itself holds no secrets, but the *deploy*
4248
path does: each tier's deployer service-account JSON key. Those live in GitHub **Environment
4349
secrets**, never in the repo — and three independent guards keep them out of it:
@@ -53,6 +59,16 @@ exhaustion) rather than data disclosure. Full rationale and the guarded-SQL thre
5359

5460
If a credential is ever committed: **rotate it first.** Deleting the commit does not un-leak it;
5561
the blob stays reachable and this repo is public. Purge from history afterwards, not instead.
62+
63+
> **These are repository settings, not files.** Secret scanning, push protection, Dependabot alerts,
64+
> and Dependabot security updates are all enabled under *Settings → Code security*. They are not
65+
> visible in any diff, so they can be switched off without a code review — this section is the only
66+
> record that they are meant to be on. Verify with:
67+
>
68+
> ```bash
69+
> gh api repos/ImagingDataCommons/IDC-REST-MCP \
70+
> --jq '.security_and_analysis | {secret_scanning, secret_scanning_push_protection, dependabot_security_updates}'
71+
> ```
5672
- **Non-root container**`Dockerfile` drops to an unprivileged user before serving.
5773
5874
## Known residual risks (public deployment)

0 commit comments

Comments
 (0)