From 291bf7d7650f112b1682f7e5f59b60c8fbdfe114 Mon Sep 17 00:00:00 2001 From: Jeff Culverhouse Date: Tue, 23 Dec 2025 10:02:39 -0500 Subject: [PATCH] feat: add image signing, vulnerability scanning, and security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add Cosign image signing using Sigstore keyless signing - Add Trivy vulnerability scanning with SARIF output to GitHub Security tab - Add SECURITY.md with vulnerability reporting instructions - Add required permissions for security-events and id-token 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/SECURITY.md | 41 +++++++++++++++++++++++++++++++++++ .github/workflows/deploy.yaml | 25 +++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..9e5a472 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,41 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| latest | :white_check_mark: | +| < 2.0 | :x: | + +## Reporting a Vulnerability + +If you discover a security vulnerability in this project, please report it responsibly: + +1. **Do not** open a public GitHub issue for security vulnerabilities +2. Email the maintainer directly or use [GitHub's private vulnerability reporting](https://github.com/weirdtangent/amcrest2mqtt/security/advisories/new) +3. Include as much detail as possible: + - Description of the vulnerability + - Steps to reproduce + - Potential impact + - Suggested fix (if any) + +You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly. + +## Security Measures + +This project implements several security measures: + +- **SBOM (Software Bill of Materials)**: Every Docker image includes a complete list of dependencies +- **Provenance Attestation**: Build provenance is attached to images to verify where and how they were built +- **Image Signing**: Images are signed using [Sigstore Cosign](https://www.sigstore.dev/) for authenticity verification +- **Vulnerability Scanning**: Images are scanned with [Trivy](https://trivy.dev/) for known vulnerabilities + +### Verifying Image Signatures + +You can verify the signature of our Docker images using cosign: + +```bash +cosign verify graystorm/amcrest2mqtt:latest \ + --certificate-identity-regexp="https://github.com/weirdtangent/amcrest2mqtt" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" +``` diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 9c1735b..5a4934c 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -14,6 +14,8 @@ permissions: issues: write pull-requests: write packages: write + security-events: write + id-token: write # for cosign signing jobs: lint: @@ -171,3 +173,26 @@ jobs: cache-to: type=gha,mode=max sbom: true provenance: true + + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Sign the image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + cosign sign --yes graystorm/amcrest2mqtt@${DIGEST} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: graystorm/amcrest2mqtt@${{ steps.build-and-push.outputs.digest }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif'