Skip to content

fix(security): harden supply chain and resolve dependency alerts#20

Merged
sonupreetam merged 3 commits into
complytime:mainfrom
sonupreetam:fix/security-hardening
Jun 3, 2026
Merged

fix(security): harden supply chain and resolve dependency alerts#20
sonupreetam merged 3 commits into
complytime:mainfrom
sonupreetam:fix/security-hardening

Conversation

@sonupreetam

@sonupreetam sonupreetam commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Pin all reusable workflow references to full SHA digests (complytime/org-infra@32b8e9b)
  • Pin .devcontainer/Dockerfile base image to digest
  • Add SECURITY.md with vulnerability disclosure process
  • Add .github/dependabot.yml for automated dependency monitoring (npm, Go modules, GitHub Actions, Docker)
  • Update package-lock.json resolving 6 of 7 open Dependabot alerts:
  • Fix Kroki diagram rendering by adding Content-Type: application/json header to resources.GetRemote POST requests

Alerts Addressed

OpenSSF Scorecard (Code Scanning)

Alert Rule Status
#2, #3, #4, #5, #6, #7 Pinned-Dependencies (workflows) Fixed
#27 Pinned-Dependencies (Dockerfile) Fixed
#9 Security-Policy Fixed
#1 Dependency-Update-Tool Fixed

Dependabot

Alert Package Status
#15-17 vite Fixed (7.3.5)
#22 postcss Fixed (8.5.15)
#20 @babel/plugin-transform-modules-systemjs Fixed (7.29.7)
#18-19 lodash Fixed (removed)
#21 brace-expansion Remaining — upstream in @babel/cli→glob@7 chain, no patch available

Bug fix

Issue Fix
Kroki Mermaid diagrams failing with "Bad Request" Added Content-Type: application/json header to the render hook's POST request

Not addressable in this PR

Alert Rule Reason
#13 Branch-Protection Requires org admin to configure
#15 Code-Review Process/governance — not a code fix
#12 Vulnerabilities Auto-resolves when Dependabot alerts close
#11 Fuzzing Not applicable for a static documentation site
#16 CII-Best-Practices Requires external OpenSSF registration

Test plan

  • CI workflows still trigger and complete successfully
  • Hugo site builds without errors (hugo --minify --gc)
  • Kroki Mermaid diagrams render correctly (no WARN in build output)
  • Dependabot alerts auto-close after merge
  • Scorecard re-run shows improved score

sonupreetam and others added 2 commits June 2, 2026 19:53
@sonupreetam @cursoragent
fix(security): harden supply chain and resolve dependency alerts
dbcef5e 
- Pin all reusable workflow refs to SHA digests (org-infra@32b8e9b)
- Pin Dockerfile base image to digest
- Add SECURITY.md with vulnerability reporting guidelines
- Add .github/dependabot.yml for automated dependency updates
- Update package-lock.json resolving 6 of 7 Dependabot alerts
  (vite, postcss, @babel/plugin-transform-modules-systemjs, lodash)

Resolves: OpenSSF Scorecard alerts #1, #2, #3, complytime#4, complytime#5, complytime#6, complytime#7, complytime#9, complytime#27
Resolves: Dependabot alerts complytime#15-20, complytime#22
Signed-off-by: sonupreetam <spreetam@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@sonupreetam @cursoragent
fix(render): add Content-Type header to Kroki API requests
7802b44 
Hugo's resources.GetRemote does not automatically set Content-Type
when POSTing a JSON body. Without the header, kroki.io returns 400
Bad Request causing diagram render failures.

Signed-off-by: sonupreetam <spreetam@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@sonupreetam sonupreetam requested review from gvauter and hbraswelrh June 2, 2026 19:37
marcusburghardt
marcusburghardt reviewed Jun 3, 2026
View reviewed changes
Comment thread .github/workflows/ci_checks.yml Outdated
call_reusable_ci:
name: Standardized CI
uses: complytime/org-infra/.github/workflows/reusable_ci.yml@main
uses: complytime/org-infra/.github/workflows/reusable_ci.yml@32b8e9b381a33fc4c3f8768856b11d94655f20c4 # main

@marcusburghardt marcusburghardt Jun 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hash does not match the latest release: https://github.com/complytime/org-infra/releases

Also it would be good to align the comment from "# main" to the respective semantic version. Applicable to other files as well.

@sonupreetam sonupreetam Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes thank you! Updated it.

marcusburghardt
marcusburghardt reviewed Jun 3, 2026
View reviewed changes
Comment thread .github/dependabot.yml
@sonupreetam @cursoragent
fix(ci): pin org-infra workflows to v0.2.1 release SHA
5f38b87 
Update all reusable workflow references from an incorrect commit SHA
(32b8e9b) to the actual v0.2.1 release SHA (cfd981e), and change the
trailing comment from "# main" to "# v0.2.1" for clarity.

Addresses review feedback from @marcusburghardt on PR complytime#20.

Signed-off-by: sonupreetam <spreetam@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jun 3, 2026
Closed
Merged
marcusburghardt
marcusburghardt approved these changes Jun 3, 2026
View reviewed changes

@marcusburghardt marcusburghardt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sonupreetam sonupreetam merged commit 4043d38 into complytime:main Jun 3, 2026
12 checks passed
@sonupreetam sonupreetam deleted the fix/security-hardening branch June 3, 2026 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sonupreetam @marcusburghardt