ci-security-gates.md

CI Security Gates

This project uses GitHub Actions security gates to block risky changes before public release.

Workflows

1. PR Security

File: .github/workflows/pr-security.yml

Triggers:

• Pull requests to main
• Pushes to main

Jobs:

• build-and-test
  • npm ci
  • npm run build
  • cargo check --manifest-path src-tauri/Cargo.toml
  • cargo test --manifest-path src-tauri/Cargo.toml
• dependency-scan
  • npm audit --omit=dev --audit-level=high
  • (cd src-tauri && cargo audit --json)
  • Blocks only on RustSec vulnerabilities.
  • Non-vulnerability advisories are informational.
  • Uploads:
    • cargo-audit.json
    • npm-audit-summary.txt

2. Release Security

File: .github/workflows/release-security.yml

Triggers:

• Manual dispatch (workflow_dispatch)
• Tag push matching v*

Jobs:

• release-security-gates
  • Same build/test checks as PR workflow.
  • npm audit --audit-level=high (includes dev dependencies).
  • Rust advisory policy is the same as PR workflow.
  • Uploads release audit reports.
• sbom
  • Generates:
    • sbom-npm.json
    • sbom-cargo.json
  • Uploads SBOM artifacts.
• signing-readiness
  • Fails if required Apple signing/notarization secrets are missing.
• attach-release-assets
  • On tags only.
  • If a GitHub Release already exists for the tag, uploads audit and SBOM artifacts to that release.
  • If release is missing, logs and keeps artifacts as workflow outputs.

Required secrets for signing readiness:

• APPLE_SIGNING_CERT_BASE64
• APPLE_SIGNING_CERT_PASSWORD
• APPLE_SIGNING_IDENTITY
• APPLE_TEAM_ID
• APPLE_ID
• APPLE_APP_SPECIFIC_PASSWORD

3. CodeQL

File: .github/workflows/codeql.yml

Triggers:

• Pull requests to main
• Pushes to main
• Weekly schedule (Monday 09:00 UTC)

Matrix languages:

• javascript-typescript
• rust

Behavior:

• Builds each language before analysis.
• Reports findings to GitHub code scanning.
• Analysis errors fail the workflow.

4. Dependabot

File: .github/dependabot.yml

Cadence:

• Weekly on Monday at 09:00 UTC.

Ecosystems:

• npm (/)
• cargo (/src-tauri)

Both are grouped by ecosystem and labeled with:

• dependencies
• security

Failure Policy

• Critical/high risk is blocking by default.
• PR workflow:
  • Blocks on production dependency vulnerabilities.
  • Blocks on RustSec vulnerabilities.
• Release workflow:
  • Blocks on dependency vulnerabilities including dev dependencies.
  • Blocks on RustSec vulnerabilities.
  • Blocks when signing readiness secrets are missing.

Triage SLA

• Critical/high findings:
  • Immediate block and remediation before merge/release.
• Medium/low findings:
  • Track in issue/ticket.
  • Only block if explicitly escalated by security owner.

Unblock Process

1. Reproduce locally using parity commands.
2. Patch and commit fix.
3. Re-run CI checks.
4. If non-blocking advisory remains, document acceptance with owner sign-off.
5. Merge only after required checks are green.

Local Command Parity

Run from repo root:

npm ci
npm run build
npm audit --omit=dev --audit-level=high

Run release-level npm audit (includes dev dependencies):

npm audit --audit-level=high

Run Rust checks:

cargo check --manifest-path src-tauri/Cargo.toml
cargo test --manifest-path src-tauri/Cargo.toml
cargo install cargo-audit --locked
(cd src-tauri && cargo audit)

Generate SBOMs locally:

npx --yes @cyclonedx/cyclonedx-npm --output-file sbom-npm.json --output-format json
cargo install cargo-cyclonedx --locked
cargo cyclonedx --manifest-path src-tauri/Cargo.toml --format json --override-filename sbom-cargo

Branch Protection Setup (main)

Configure branch protection in repository settings:

• Require pull request before merging.
• Require branch to be up to date before merging.
• Disable direct pushes.
• Require these status checks:
  • PR Security / build-and-test
  • PR Security / dependency-scan
  • CodeQL / Analyze (javascript-typescript)
  • CodeQL / Analyze (rust)

This step is configured in GitHub repository settings and is not stored in git.