feat: add image signing, vulnerability scanning, and security policy

- Add Cosign image signing using Sigstore keyless signing - Add Trivy vulnerability scanning with SARIF output to GitHub Security tab - Add SECURITY.md with vulnerability reporting instructions - Add required permissions for security-events and id-token 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 month ago · 291bf7d765
parent 0a25ef9016
commit 291bf7d765
2 changed files with 66 additions and 0 deletions
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@ -0,0 +1,41 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+| < 2.0   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly:
+
+1. **Do not** open a public GitHub issue for security vulnerabilities
+2. Email the maintainer directly or use [GitHub's private vulnerability reporting](https://github.com/weirdtangent/amcrest2mqtt/security/advisories/new)
+3. Include as much detail as possible:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly.
+
+## Security Measures
+
+This project implements several security measures:
+
+- **SBOM (Software Bill of Materials)**: Every Docker image includes a complete list of dependencies
+- **Provenance Attestation**: Build provenance is attached to images to verify where and how they were built
+- **Image Signing**: Images are signed using [Sigstore Cosign](https://www.sigstore.dev/) for authenticity verification
+- **Vulnerability Scanning**: Images are scanned with [Trivy](https://trivy.dev/) for known vulnerabilities
+
+### Verifying Image Signatures
+
+You can verify the signature of our Docker images using cosign:
+
+```bash
+cosign verify graystorm/amcrest2mqtt:latest \
+  --certificate-identity-regexp="https://github.com/weirdtangent/amcrest2mqtt" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+```
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@ -14,6 +14,8 @@ permissions:
  issues: write
  pull-requests: write
  packages: write
+  security-events: write
+  id-token: write  # for cosign signing

 jobs:
  lint:
@ -171,3 +173,26 @@ jobs:
          cache-to: type=gha,mode=max
          sbom: true
          provenance: true
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign the image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes graystorm/amcrest2mqtt@${DIGEST}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: graystorm/amcrest2mqtt@${{ steps.build-and-push.outputs.digest }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'