Context
We want a production-grade DevSecOps pipeline for Do Not Ghost Me that:
- Detects security issues early (PR-time).
- Produces actionable results inside GitHub (checks + Security tab / Code Scanning).
- Enforces merge gates on main, while keeping staging fast and iteration-friendly.
Recent work includes:
- Adding a Snyk workflow draft (SAST + SCA + IaC + Container) and SARIF upload capability.
- Updating GitHub Actions dependencies via Dependabot bumps.
- Adding repo-level tooling/config around coverage/security (e.g. Codecov config), and adjusting Dependabot behavior to target staging-only PRs.
Goals
- Add/standardize security scanning in CI:
- SAST (Code scanning)
- SCA (dependency vuln scanning)
- IaC scanning (Terraform/Docker/K8s configs if present)
- Container scanning (Dockerfile/image), if applicable
- Upload results to GitHub Code Scanning (SARIF) where possible.
- Make security checks required on main (merge gate), but not required on staging.
- Keep permissions minimal and workflows deterministic (pinned action SHAs, least privilege).
Requirements / Constraints
- Main branch: security checks must pass before merge (ruleset required status checks).
- Staging branch: security scans may run, but should not block merges by default.
- Secrets:
- Workflow uses
SNYK_TOKEN (or equivalent). We must decide how it behaves on PRs from forks and Dependabot PRs.
- If we want scanning to run on Dependabot PRs, we may need to configure Dependabot secrets or accept that secrets are not available there.
- Avoid noisy/low-signal failure modes. Prefer “reporting” for staging and “enforcing” for main.
Proposed approach
-
Decide toolset (industry standard baseline)
- CodeQL (GitHub-native SAST)
- Dependabot alerts + security updates (SCA baseline)
- Optional: Snyk (SAST/SCA/IaC/container) for deeper scanning
-
Workflow design
- One workflow file, with logic:
main: fail the check on findings above threshold (or fail on tool exit code).
staging: always upload results but do not fail (or use different severity threshold).
- Ensure Node install and dependencies are set up before scanning where needed.
- Pin all GitHub Actions to major versions (or commit SHAs for extra hardening).
-
Branch rulesets
- Add required status checks for main (e.g.
ci, codeql, snyk-security).
- Keep staging less strict (required:
ci only, optionally vercel).
-
Security tab integration
- SARIF upload for code scanning (GitHub Code Scanning UI).
- Ensure alerts show up consistently and are easy to triage.
Tasks
Acceptance criteria
- PRs targeting main cannot be merged unless:
- CI passes
- Security scan checks pass (as defined)
- PRs targeting staging run scans but do not block merge by default.
- Security results are visible in GitHub (checks + Code Scanning where applicable).
- Workflows use least-privilege permissions and are stable (no flaky steps).
Notes / Open questions
- What is our minimum viable enforcement level for main?
- Do we want Snyk to be required, or keep GitHub-native (CodeQL + Dependabot) as the baseline?
- How should we handle token availability on Dependabot PRs and fork PRs?
Context
We want a production-grade DevSecOps pipeline for Do Not Ghost Me that:
Recent work includes:
Goals
Requirements / Constraints
SNYK_TOKEN(or equivalent). We must decide how it behaves on PRs from forks and Dependabot PRs.Proposed approach
Decide toolset (industry standard baseline)
Workflow design
main: fail the check on findings above threshold (or fail on tool exit code).staging: always upload results but do not fail (or use different severity threshold).Branch rulesets
ci,codeql,snyk-security).cionly, optionallyvercel).Security tab integration
Tasks
Acceptance criteria
Notes / Open questions