ci(security): add Dependabot and CodeQL security scanning

doublegate · claude · doublegate · commit adda17c8f2d0 · 2025-11-29T02:56:28.000-05:00
## Summary Configures comprehensive automated security scanning infrastructure for the WRAITH Protocol repository, integrating GitHub's Dependabot for dependency vulnerability monitoring and CodeQL for static security analysis. ## Dependabot Configuration (.github/dependabot.yml) **Ecosystems Monitored:** - cargo (Rust dependencies): 10 PR limit, weekly schedule - github-actions (workflow dependencies): 5 PR limit, weekly schedule **Update Schedule:** - Frequency: Weekly (Mondays 09:00 UTC) - Rationale: Balances security responsiveness with operational stability **Intelligent Dependency Grouping:** - crypto: chacha20poly1305, x25519-dalek, blake3, snow (Security-critical cryptographic dependencies) - async-runtime: tokio, io-uring, futures (Performance-critical async infrastructure) - dev-dependencies: Development and testing packages **Commit Conventions:** - Cargo updates: "deps:" prefix - GitHub Actions: "ci:" prefix ## CodeQL Security Workflow (.github/workflows/codeql.yml) **Job 1: CodeQL Analysis** - Engine: GitHub CodeQL with Rust support (experimental) - Query Suite: security-extended (comprehensive coverage) - Build Mode: Full workspace release build - Results: Uploaded to GitHub Security tab - Timeout: 30 minutes **Job 2: Rust Security Audit** - cargo-audit: Scans against RustSec advisory database - cargo-outdated: Identifies outdated dependencies - Policy: --deny warnings (strict, zero-tolerance) - Artifacts: 30-day retention for compliance auditing **Workflow Triggers:** - Push: main, develop branches - Pull Requests: Targeting main branch - Schedule: Weekly (Monday 09:00 UTC, cron: '0 9 * * 1') - Manual: workflow_dispatch enabled ## Security Architecture Rationale **Defense in Depth Strategy:** - CodeQL: Language-agnostic static analysis patterns - cargo-audit: Rust-specific vulnerability database (RustSec) - Dependabot: Proactive dependency update management **Strict Failure Policy:** - cargo audit --deny warnings ensures zero known vulnerabilities - Appropriate for cryptographic protocol implementation - Forces immediate attention to security issues **Why security-extended Query Suite:** - More comprehensive than CodeQL's default queries - Appropriate for cryptographic protocol implementation - Detects broader range of vulnerability patterns ## Post-Deployment Requirements Manual steps after push: 1. Repository Settings → Security & analysis 2. Enable "Dependabot alerts" 3. Enable "Dependabot security updates" 4. Verify first workflow run in Actions tab 5. Review Security tab for initial findings ## Files Added/Modified - .github/dependabot.yml (69 lines) - Dependabot configuration - .github/workflows/codeql.yml (126 lines) - CodeQL + cargo-audit workflow - CHANGELOG.md (+57 lines) - Security configuration documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,69 @@
+# Dependabot configuration for WRAITH Protocol
+# Automatically checks for dependency updates and security vulnerabilities
+# Documentation: https://docs.github.com/en/code-security/dependabot
+
+version: 2
+
+updates:
+  # Cargo (Rust) dependency updates
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "doublegate"
+    labels:
+      - "dependencies"
+      - "rust"
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps(dev)"
+      include: "scope"
+    # Group updates by dependency type
+    groups:
+      # Security-critical cryptographic dependencies
+      crypto:
+        patterns:
+          - "chacha20poly1305"
+          - "x25519-dalek"
+          - "blake3"
+          - "snow"
+          - "crypto*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Async runtime dependencies
+      async-runtime:
+        patterns:
+          - "tokio"
+          - "io-uring"
+          - "futures*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Development dependencies
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "doublegate"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,126 @@
+# CodeQL Security Scanning Workflow for WRAITH Protocol
+# Analyzes code for security vulnerabilities and code quality issues
+# Documentation: https://docs.github.com/en/code-security/code-scanning
+
+name: "CodeQL Security Scan"
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run weekly on Monday at 09:00 UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      # Required for CodeQL to upload results to GitHub Security tab
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL has experimental Rust support; we'll use it for basic analysis
+        # Note: Rust support in CodeQL is limited compared to other languages
+        language: ['rust']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-codeql-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-codeql-
+            ${{ runner.os }}-cargo-
+
+      # Initialize CodeQL tools for scanning
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Use security-extended query suite for comprehensive security analysis
+          queries: security-extended
+          # Optional: Add custom queries
+          # config-file: ./.github/codeql/codeql-config.yml
+
+      # Build the project (required for compiled languages like Rust)
+      # CodeQL needs the build to understand the code structure
+      - name: Build project
+        run: |
+          cargo build --workspace --all-features --release
+
+      # Perform CodeQL Analysis
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          # Fail the workflow if high or critical severity issues are found
+          # Commented out by default to avoid breaking builds initially
+          # fail-on: critical,high
+
+  # Additional Rust-specific security scanning with cargo-audit
+  rust-security:
+    name: Rust Security Audit
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-audit-${{ hashFiles('**/Cargo.lock') }}
+
+      # Install cargo-audit for RustSec advisory database scanning
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      # Check for security vulnerabilities in dependencies
+      - name: Run cargo audit
+        run: cargo audit --deny warnings
+
+      # Check for outdated dependencies with known security issues
+      - name: Run cargo outdated
+        continue-on-error: true
+        run: |
+          cargo install cargo-outdated --locked
+          cargo outdated --root-deps-only --format json > outdated-deps.json || true
+
+      # Upload results as artifacts for review
+      - name: Upload audit results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-audit-results
+          path: |
+            outdated-deps.json
+          retention-days: 30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,63 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### [2025-11-29] - GitHub Security Scanning Configuration
+
+#### Added
+
+**Dependabot Configuration (.github/dependabot.yml):**
+- Automated dependency update monitoring for Cargo (Rust) ecosystem
+- GitHub Actions version update monitoring
+- Weekly update schedule (Mondays at 09:00 UTC)
+- Grouped updates by dependency category:
+  - Cryptographic dependencies (chacha20poly1305, x25519-dalek, blake3, snow)
+  - Async runtime dependencies (tokio, io-uring, futures)
+  - Development dependencies (separate group)
+- Conventional commit message prefixes (deps:, ci:)
+- Auto-assignment to repository maintainers
+- Pull request limits (10 for cargo, 5 for github-actions)
+
+**CodeQL Security Scanning (.github/workflows/codeql.yml):**
+- Automated security vulnerability scanning using GitHub CodeQL
+- Rust language analysis with security-extended query suite
+- Triggered on: push to main/develop, pull requests, weekly schedule, manual dispatch
+- Two-job workflow:
+  1. CodeQL Analysis: Comprehensive code scanning with security-extended queries
+  2. Rust Security Audit: cargo-audit for RustSec advisory database scanning
+- Security results uploaded to GitHub Security tab
+- Artifact retention for audit results (30 days)
+- cargo-audit integration for Rust-specific vulnerability detection
+- cargo-outdated checks for dependency freshness
+- Caching strategy for faster builds
+
+**Security Scanning Features:**
+- RustSec advisory database integration via cargo-audit
+- Automated weekly security scans
+- Pull request security validation
+- Cryptographic dependency prioritization
+- GitHub Security tab integration for centralized vulnerability tracking
+
+#### Technical Details
+
+**Dependabot Groups:**
+- crypto: Critical cryptographic libraries (minor/patch updates)
+- async-runtime: Tokio and async I/O dependencies (minor/patch updates)
+- dev-dependencies: Development-only dependencies (minor/patch updates)
+
+**CodeQL Configuration:**
+- Language: Rust (experimental support)
+- Query Suite: security-extended (comprehensive security analysis)
+- Timeout: 30 minutes for analysis, 15 minutes for cargo-audit
+- Permissions: actions:read, contents:read, security-events:write
+- Build Strategy: Full workspace release build for accurate analysis
+
+**Rust Security Tools:**
+- cargo-audit: Scans Cargo.lock against RustSec advisory database
+- cargo-outdated: Identifies outdated dependencies with security implications
+- CodeQL: Static analysis for common vulnerability patterns
+
+---
+
 ### [2025-11-29] - Rust 2024 Edition Upgrade
 
 #### Changed
