publicWagsHome
/
amcrest2mqtt
mirror of https://github.com/dchesterton/amcrest2mqtt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: add image signing, vulnerability scanning, and security policy

Browse Source 
- Add Cosign image signing using Sigstore keyless signing
- Add Trivy vulnerability scanning with SARIF output to GitHub Security tab
- Add SECURITY.md with vulnerability reporting instructions
- Add required permissions for security-events and id-token

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pull/106/head
Jeff Culverhouse 1 month ago
parent 0a25ef9016
commit 291bf7d765
2 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File

41
.github/SECURITY.md vendored
Unescape Escape View File

@ -0,0 +1,41 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| latest | :white_check_mark: |
| < 2.0 | :x: |
## Reporting a Vulnerability
If you discover a security vulnerability in this project, please report it responsibly:
1. **Do not** open a public GitHub issue for security vulnerabilities
2. Email the maintainer directly or use [GitHub's private vulnerability reporting](https://github.com/weirdtangent/amcrest2mqtt/security/advisories/new)
3. Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly.
## Security Measures
This project implements several security measures:
- **SBOM (Software Bill of Materials)**: Every Docker image includes a complete list of dependencies
- **Provenance Attestation**: Build provenance is attached to images to verify where and how they were built
- **Image Signing**: Images are signed using [Sigstore Cosign](https://www.sigstore.dev/) for authenticity verification
- **Vulnerability Scanning**: Images are scanned with [Trivy](https://trivy.dev/) for known vulnerabilities
### Verifying Image Signatures
You can verify the signature of our Docker images using cosign:
```bash
cosign verify graystorm/amcrest2mqtt:latest \
--certificate-identity-regexp="https://github.com/weirdtangent/amcrest2mqtt" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
```

25
.github/workflows/deploy.yaml vendored
Unescape Escape View File

@ -14,6 +14,8 @@ permissions:
issues: write issues: write
pull-requests: write pull-requests: write
packages: write packages: write
security-events: write
id-token: write # for cosign signing
jobs: jobs:
lint: lint:
@ -171,3 +173,26 @@ jobs:
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
sbom: true sbom: true
provenance: true provenance: true
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign the image
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
run: |
cosign sign --yes graystorm/amcrest2mqtt@${DIGEST}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: graystorm/amcrest2mqtt@${{ steps.build-and-push.outputs.digest }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'

Write Preview
Loading…
Cancel
Save