Skip to content

sec: Sigstore signing, SBOM, Grype, CodeQL + docs#73

Merged
Pyronewbic merged 3 commits into
mainfrom
dev
May 13, 2026
Merged

sec: Sigstore signing, SBOM, Grype, CodeQL + docs#73
Pyronewbic merged 3 commits into
mainfrom
dev

Conversation

@Pyronewbic
Copy link
Copy Markdown
Owner

@Pyronewbic Pyronewbic commented May 13, 2026

Summary

  • Cosign keyless container signing via GitHub OIDC, deploy by image digest
  • Syft SBOM generation (SPDX JSON) as build artifact
  • Grype vulnerability scanning with SARIF to GitHub Security tab
  • CodeQL SAST on PRs + weekly schedule
  • Binary Authorization on both Cloud Run services (DRYRUN audit mode)
  • Terraform CI: tfvars from GitHub secrets, Docker auth for cosign
  • Kaniko pinned v1.23.2, --reproducible, dual tags
  • Docs: CHANGELOG, README security section, internals security pipeline table

Type

  • Infra / config
  • Docs / tests

Endpoints

None

Checks

  • yarn test:unit passes
  • terraform validate passes

Infrastructure

  • New GCP APIs: Binary Authorization, Container Analysis
  • New IAM roles on deploy SA: binaryauthorization.policyEditor, serviceusage.serviceUsageAdmin
  • New GitHub secret: ALERT_EMAIL (for Terraform tfvars)
  • Binary Auth policy: DRYRUN_AUDIT_LOG_ONLY
  • Terraform auto-applies on merge (terraform/ path filter)

Frontend impact

None

Deploy notes

First deploy will run the full signing + scanning pipeline. Binary Auth is DRYRUN so no blocking risk. Verify cosign signing succeeds, then switch to ALWAYS_DENY in a future PR.

Pyronewbic added 3 commits May 14, 2026 02:49
@Pyronewbic
fix: pass alert_email secret to Terraform plan and apply
57c8705
@Pyronewbic
sec: add CodeQL SAST scanning on PRs and weekly schedule
c7d369c
@Pyronewbic
docs: security pipeline, set browser, collection tracking in changelo…
66ba6a6 
…g/README/internals

- CHANGELOG: set browser, collection tracking, Sigstore, SBOM, Grype,
  Binary Auth, CodeQL, Terraform CI, security fixes
- README: security section with signing, SBOM, scanning, SAST
- Internals: security pipeline table with tool/stage/purpose
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 13, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Pyronewbic Pyronewbic merged commit f1b2736 into main May 13, 2026
4 checks passed
@Pyronewbic Pyronewbic mentioned this pull request May 13, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pyronewbic @github-advanced-security