chore: enhance security configurations

Author: Jake Clayton

.github/workflows/codeql.yml

@@ -0,0 +1,45 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '31 7 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Setup Go
+      uses: actions/setup-go@6d5114b80faf1e90e980a273e2c95e1642c7dc55 # v5.2.0
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Build
+      run: make build
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           sarif_file: results.sarif

.github/workflows/workflow.yml

@@ -6,17 +6,19 @@ on:
       - develop
       - master
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         go-version: ['1.24.3']
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@6d5114b80faf1e90e980a273e2c95e1642c7dc55 # v5.2.0
       with:
         go-version: ${{ matrix.go-version }}
         cache: true
@@ -25,7 +27,7 @@ jobs:
       run: go version
 
     - name: Set up golangci-lint
-      uses: golangci/golangci-lint-action@v8
+      uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v8.0.0
       with:
         version: v2.1
 
@@ -42,7 +44,7 @@ jobs:
       run: make build
 
     - name: Upload coverage
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
       with:
         name: coverage-${{ matrix.go-version }}
         path: coverage.html

.goreleaser.yaml renamed to .goreleaser.yml

@@ -29,6 +29,11 @@ archives:
 
 checksum:
   name_template: "{{ .ProjectName }}_checksums.txt"
+  algorithm: sha256
+
+sboms:
+  - artifacts: archive
+    id: sboms
 
 changelog:
   sort: asc

.lefthook.yml

@@ -7,4 +7,6 @@ pre-commit:
       stage_fixed: true
     go-mod-tidy:
       glob: "go.mod"
-      run: go mod tidy && git add go.mod go.sum
+      run: go mod tidy && git add go.mod go.sum
+    gitleaks:
+      run: gitleaks git --staged --no-banner --redact -v

CODEOWNERS

@@ -0,0 +1,22 @@
+# This file defines code ownership for automatic review assignment
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Global owners - these owners will be requested for review when someone opens a pull request
+* @jakec-dev
+
+# Go source files
+*.go @jakec-dev
+
+# GitHub Actions workflows
+.github/ @jakec-dev
+
+# Documentation
+*.md @jakec-dev
+docs/ @jakec-dev
+
+# Configuration files
+Makefile @jakec-dev
+go.mod @jakec-dev
+go.sum @jakec-dev
+.golangci.yml @jakec-dev
+.goreleaser.yml @jakec-dev

CONTRIBUTING.md

@@ -4,9 +4,8 @@ Thanks for your interest in contributing to **aws-local-sync**! This guide outli
 
 ## Prerequisites
 
-- Go 1.21 or later
+- Go 1.24.3 or later
 - Make
-- [golangci-lint](https://golangci-lint.run/usage/install/) (for linting)
 
 ## Development Setup
 
@@ -17,12 +16,19 @@ Thanks for your interest in contributing to **aws-local-sync**! This guide outli
    cd aws-local-sync
    ```
 
-2. **Install Git hooks**
+2. **Install development tools**
 
    ```sh
-   make hooks    # Install pre-commit hooks via lefthook
+   make install  # Installs all required dev tools and dependencies
    ```
 
+   This will install:
+   - golangci-lint (code linting)
+   - lefthook (git hooks)
+   - gitleaks (secret scanning)
+   - govulncheck (vulnerability scanning)
+   - staticcheck (static analysis)
+
 3. **Explore available commands**
 
    ```sh
@@ -66,7 +72,7 @@ This project uses [lefthook](https://github.com/evilmartians/lefthook) for Git h
 
 ### Useful Make Targets
 
-- `make hooks` - Install Git hooks
+- `make install` - Install all dev tools and git hooks
 - `make hooks-run` - Manually run pre-commit checks
 - `make tidy` - Clean up dependencies and format code
 - `make clean` - Remove build artifacts

Makefile

@@ -37,6 +37,31 @@ help: ## Show all available make targets with descriptions
 		else if (/^## .*$$/) {printf "${CYAN}%s${RESET}\n", substr($$1,4)} \
 		}' $(MAKEFILE_LIST)
 
+# ==================================================================================== #
+# SETUP
+# ==================================================================================== #
+
+.PHONY: install
+install: ## Install all development dependencies, tools, and git hooks
+	@echo "Installing development tools..."
+	@command -v golangci-lint >/dev/null 2>&1 || \
+		(echo "→ Installing golangci-lint..." && go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest)
+	@command -v lefthook >/dev/null 2>&1 || \
+		(echo "→ Installing lefthook..." && go install github.com/evilmartians/lefthook@latest)
+	@command -v gitleaks >/dev/null 2>&1 || \
+		(echo "→ Installing gitleaks..." && go install github.com/zricethezav/gitleaks/v8@latest)
+	@command -v govulncheck >/dev/null 2>&1 || \
+		(echo "→ Installing govulncheck..." && go install golang.org/x/vuln/cmd/govulncheck@latest)
+	@command -v staticcheck >/dev/null 2>&1 || \
+		(echo "→ Installing staticcheck..." && go install honnef.co/go/tools/cmd/staticcheck@latest)
+	@command -v go-licenses >/dev/null 2>&1 || \
+		(echo "→ Installing go-licenses..." && go install github.com/google/go-licenses@latest)
+	@echo "→ Installing git hooks..."
+	@lefthook install
+	@echo "→ Downloading Go dependencies..."
+	@go mod download
+	@echo "✓ All development tools and git hooks installed successfully!"
+
 # ==================================================================================== #
 # QUALITY CONTROL
 # ==================================================================================== #
@@ -52,6 +77,8 @@ audit: test ## Run full audit: verify modules, scan for issues and vulnerabiliti
 	go vet ./...
 	go run honnef.co/go/tools/cmd/staticcheck@latest -checks=all,-ST1000,-U1000 ./...
 	go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+	@echo "→ Checking for unpinned dependencies..."
+	@go list -m -json all | jq -r 'select(.Indirect != true) | select(.Main != true) | "\(.Path) \(.Version)"' || echo "No dependencies found"
 
 .PHONY: test
 test: ## Run tests with race detection and generate coverage report (HTML + out)
@@ -62,6 +89,10 @@ test: ## Run tests with race detection and generate coverage report (HTML + out)
 upgradeable: ## Show all direct dependencies with available upgrades
 	@go list -u -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}}: {{.Version}} -> {{.Update.Version}}{{end}}' -m all
 
+.PHONY: licenses
+licenses: ## Check licenses of all dependencies
+	@go-licenses report ./... 2>/dev/null || echo "No dependencies with licenses found"
+
 # ==================================================================================== #
 # DEVELOPMENT
 # ==================================================================================== #
@@ -75,17 +106,6 @@ tidy: ## Clean up go.mod/go.sum and format all Go source files
 build: ## Build the Go binary with version, commit, and build time metadata
 	go build -trimpath -ldflags $(LDFLAGS) -o ${BUILD_DIR}/${BINARY_NAME} ${MAIN_PACKAGE}
 
-.PHONY: hooks
-hooks: ## Install git hooks via lefthook
-	@command -v lefthook >/dev/null 2>&1 || \
-		(echo "Installing lefthook..." && go install github.com/evilmartians/lefthook@latest)
-	@lefthook install
-	@echo "Git hooks installed successfully"
-
-.PHONY: hooks-run
-hooks-run: ## Run pre-commit hooks manually on all files
-	@lefthook run pre-commit
-
 .PHONY: build-static
 build-static: ## Build a statically linked binary for release (CGO disabled)
 	CGO_ENABLED=0 go build -trimpath -ldflags $(LDFLAGS) \
@@ -95,6 +115,10 @@ build-static: ## Build a statically linked binary for release (CGO disabled)
 run: build ## Build and run the compiled binary
 	${BUILD_DIR}/${BINARY_NAME}
 
+.PHONY: pre-commit
+pre-commit: ## Run pre-commit hooks manually on all files
+	@lefthook run pre-commit
+
 .PHONY: clean
 clean: ## Remove compiled binary, coverage reports, and other build artifacts
 	go clean

SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Currently supported versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+We take the security of aws-local-sync seriously. If you believe you have found a security vulnerability, please report it to us as described below.
+
+### How to Report
+
+Please report security vulnerabilities through GitHub's security advisory feature:
+
+1. Go to the [Security tab](https://github.com/jakec-dev/aws-local-sync/security) of this repository
+2. Click on "Report a vulnerability"
+3. Fill out the form with details about the vulnerability
+
+### What to Include
+
+Please include the following information:
+
+- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit it
+
+### Response Timeline
+
+- We will acknowledge receipt of your vulnerability report within 48 hours
+- We will send a more detailed response within 5 business days indicating the next steps
+- We will keep you informed about the progress towards a fix and full announcement
+- We may ask for additional information or guidance during the process
+
+## Security Best Practices
+
+When using aws-local-sync:
+
+1. **AWS Credentials**: Never commit AWS credentials to version control. Use environment variables or AWS credential files
+2. **IAM Permissions**: Follow the principle of least privilege when configuring IAM roles and policies
+3. **Dependencies**: Keep dependencies up to date using Dependabot alerts
+4. **Binary Verification**: Verify checksums of downloaded binaries when available
+
+## Security Updates
+
+Security updates will be released as patch versions and announced through:
+- GitHub Releases
+- Security Advisories on this repository
+
+## Acknowledgments
+
+We appreciate the security research community's efforts in helping keep aws-local-sync secure. Contributors who report valid security issues will be acknowledged in our release notes (unless they prefer to remain anonymous).