diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..b7b112c9ce --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,35 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "03:00" + timezone: "UTC" + open-pull-requests-limit: 5 + allow: + - dependency-type: "direct" + reviewers: + - "equinor/security-team" + # Labels help routing and automation + labels: + - "security" + - "dependencies" + # Use groups to bundle related updates (e.g., logging libs) if desired later. + # groups: + # logging: + # patterns: + # - "org.apache.logging.log4j*" + + # (Optional future) GitHub Actions ecosystem + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "03:30" + timezone: "UTC" + labels: + - "security" + - "dependencies" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..2fe826da64 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,47 @@ +name: CodeQL Security Analysis + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '0 2 * * 1' # Weekly Monday 02:00 UTC + +permissions: + contents: read + security-events: write + actions: read + +jobs: + analyze: + name: Analyze (Java) + runs-on: ubuntu-latest + timeout-minutes: 90 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: '11' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: java + queries: security-extended,security-and-quality + + # Manual build ensures full dependency resolution and covers multi-module changes. + - name: Build with Maven (no tests) + run: mvn -B -q clean install -DskipTests + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:java" + upload: true + + # Optional: fail the job if any results exceed a threshold (future enhancement via SARIF parsing) diff --git a/SECURITY-TRIAGE.md b/SECURITY-TRIAGE.md new file mode 100644 index 0000000000..0186cf339f --- /dev/null +++ b/SECURITY-TRIAGE.md @@ -0,0 +1,73 @@ +# Security Triage Policy + +This document defines how security findings (CodeQL, secret scanning, Dependabot, OWASP Dependency-Check, SpotBugs, PMD, etc.) are triaged and remediated for this repository. + +## 1. Sources of Findings +| Source | Type | Location | +|-------|------|----------| +| CodeQL | Static code scanning | GitHub Security tab (Code scanning alerts) | +| Secret Scanning & Push Protection | Credential leaks | GitHub Security tab (Secret scanning alerts) | +| Dependabot Alerts | Vulnerable dependencies | GitHub Security tab (Dependabot alerts) | +| OWASP Dependency-Check | Dependency CVEs (aggregate report) | CI logs / reports | +| SpotBugs / PMD | Quality & potential security issues | CI verify stage | + +## 2. Severity Mapping +Severity is based on CVSS (for dependency CVEs) or CodeQL categorization. Adjustments may be made for exploit maturity and exposure. + +| Severity | Examples | Action Window | +|----------|----------|---------------| +| Critical | Remote code execution, credential compromise, secret leak (active) | Fix/rotate within 24h | +| High | Deserialization bugs, SQL injection, high CVSS dependency CVE | Fix within 3 business days | +| Medium | Path traversal, SSRF, medium CVSS dependency CVE | Fix within current sprint (≤ 2 weeks) | +| Low | Minor info leak, low CVSS dependency CVE | Backlog / next maintenance window | +| Informational | Style / false positives / non-exploitable | Mark as `wont-fix` or ignore | + +## 3. Triage Workflow +1. Alert surfaces (scan, PR annotation, or dashboard). +2. Assign an owner automatically via `CODEOWNERS` or manually (`@equinor/security-team`). +3. Validate: confirm reproducibility, assess exploitability in our context (e.g., library not used at runtime path?). +4. Classify severity (table above) & document rationale in issue or alert comment. +5. Decide disposition: + - Remediate (create PR) + - Mitigate (configuration change / rotation) + - Accept risk (document reason) -> Mark `wont-fix` (CodeQL) or dismiss (Dependabot) with justification. +6. Track SLA: use labels `security` + `severity/` on issues/PRs. +7. Verify fix: ensure updated scan passes & no regression. + +## 4. Secret Incidents +If a secret is found: +- Immediately revoke/rotate the credential. +- Purge from history if high sensitivity (use GitHub guidance / BFG Repo-Cleaner). +- Document rotation in internal runbook; NEVER store secrets in repo afterwards. + +## 5. False Positives & Suppression +- CodeQL: Prefer updating code or adding precise guards. If not feasible, add a `# codeql[]: disable ` comment only where needed. +- Dependabot: Dismiss with `not used at runtime` or `transitive - awaiting upstream` reason. +- OWASP Dependency-Check: Use suppression XML file if persistent FP (store as `dependency-check-suppression.xml`). + +## 6. PR Requirements +- All PRs must have successful: build, tests, CodeQL scan, and (if dependency changes) dependency review. +- Security-sensitive changes (crypto, auth, input parsing) require at least 2 reviewers including one from security team. + +## 7. Tooling Enhancements (Future) +- Add SARIF gating step to fail CI if Critical/High new issues appear. +- Automate issue creation for CodeQL alerts via webhook/app. +- Integrate metrics export to dashboard (MTTR, open-by-severity, secrets blocked). + +## 8. Metrics & Reporting +Track monthly: +- Open alerts by severity (snapshot) +- New vs resolved counts +- MTTR for Critical/High +- Number of secrets blocked by Push Protection +- Dependency update PR merge rate + +## 9. Contacts +- Security questions: `@equinor/security-team` +- Maintainers: see `CODEOWNERS` + +## 10. Review +Review this policy quarterly or after major process/tooling changes. + +--- +_Last updated: 2025-10-29_