LegionForge Guardian follows OWASP SAMM practices and LegionForge's Security Roadmap for supply-chain and application security.

If you discover a security vulnerability, please email jp@legionforge.org with:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Your name and contact information (optional)

Please do not open public GitHub issues for security vulnerabilities.

• ✅ All GitHub Actions pinned to commit SHAs (no mutable tags like @v4 or @main)
• ✅ Dependabot configured to auto-update action references weekly
• ✅ Dependency updates require review before merging

Files: .github/dependabot.yml, .github/workflows/*.yml

• ✅ No GITHUB_TOKEN default permission escalation
• ✅ Each workflow declares minimal required permissions
• ✅ security-events: write only on workflows uploading security reports

Permissions by workflow:

• ci.yml: Delegates to dev-rig reusable workflows
• dast.yml: security-events: write (SARIF upload)
• publish.yml: contents: read (build), id-token: write (OIDC), attestations: write (SLSA)
• lint-workflows.yml: contents: read

• ✅ zizmor scans all workflows for OWASP CI/CD Top 10 risks
• ✅ Automated checks for:
  • Unpinned action references
  • Template injection vulnerabilities
  • Dangerous event triggers
  • Excessive GITHUB_TOKEN permissions

File: .github/workflows/lint-workflows.yml

• ✅ harden-runner enabled on all Guardian-controlled jobs
• ✅ Restricts outbound network to whitelisted endpoints
• ✅ Prevents exfiltration post-compromise

Egress policy: audit (logs violations, doesn't fail builds in v0.1.2)

Allowed endpoints by workflow:

• All workflows: github.com:443, api.github.com:443
• DAST: ↑ (scanning localhost)
• Publish: ↑ + pypi.org:443, upload.pypi.org:443

• ✅ SAST (Static): semgrep (p/python, p/fastapi) + CodeQL for injection/access control
• ✅ DAST (Dynamic): OWASP ZAP baseline scan for runtime auth/headers/session issues
• ✅ Dependency Audit: pip-audit for vulnerable packages
• ✅ Secret Scanning: gitleaks prevents credential commits
• ✅ SBOM: Cyclonedx for supply-chain transparency

• ✅ SLSA v1.1 build attestations on all PyPI releases
• ✅ Verifiable supply chain: code → artifact → registry
• ✅ actions/attest-build-provenance generates cryptographic proof

• Apply Phase 1.5: OSS Risk Audit MVP
• Upgrade CI coverage threshold: 50% → 70%
• Document OWASP ZAP findings and remediation

• Escalate harden-runner egress to block mode
• Phase 2 SOTA (OSV-Scanner, SLSA L2)
• Hardened Python install (PEP 668)

• Governance policy enforcement
• Attestation verification on installs

Trigger: Push/PR to main

Jobs:

1. Lint (dev-rig): ruff, black
2. Test (dev-rig): pytest + coverage
3. SAST (dev-rig): semgrep + CodeQL
4. Audit (dev-rig): pip-audit
5. Secrets (dev-rig): gitleaks
6. SBOM (dev-rig): cyclonedx
7. Lint-Workflows: zizmor
8. DAST: OWASP ZAP

Publish Trigger: Git tag v*

• OWASP SAMM
• OWASP Top 10
• OWASP CI/CD Top 10
• SLSA Framework
• zizmor
• harden-runner

MIT. See LICENSE.