chore(security): Implement uniform SAST, SCA, and Dependabot (#18)#19
Merged
Conversation
### 🛡️ Security * **Vulnerability Scanning:** Implemented uniform SAST, SCA, Trivy, and Dependabot scanning pipelines across the repository. * **Secret Detection:** Migrated from Gitleaks to TruffleHog, simultaneously resolving CI pathing issues and a `base/head` mismatch error in `security.yml`. * **CodeQL Resilience:** Resolved matrix/pathing errors and added required `actions:read` permissions for successful SARIF uploads. * **Graceful Degradation:** Engineered fallback limits and injected `continue-on-error` steps to prevent CI blockers when GitHub Advanced Security is disabled. ### ⚙️ CI/CD & Formatting * **Pre-commit Hooks:** Configured auto-fixes for EOF and CRLF line endings to satisfy strict pre-commit requirements. * **Linting & Code Quality:** Resolved lingering Codespell errors and strictly enforced EOF standards globally across the codebase. --- * chore(security): implement uniform SAST, SCA, Trivy, and Dependabot scans * fix(security): swap gitleaks for trufflehog and fix ci paths * fix(security): add actions:read permission for codeql upload-sarif * fix(security): resolve pathing, codespell, and CodeQL matrix errors * fix(security): graceful degrade advanced security uploads when disabled * fix(security): auto-fix EOF and CRLF to satisfy pre-commit * fix(security): strictly enforce EOF and inject continue-on-error degradation limits * fix(security): resolve TruffleHog base/head identical mismatch in security.yml
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛡️ Security
base/headmismatch error insecurity.yml.actions:readpermissions for successful SARIF uploads.continue-on-errorsteps to prevent CI blockers when GitHub Advanced Security is disabled.⚙️ CI/CD & Formatting