diff --git a/.github/SECURITY.md b/.github/SECURITY.md index f5184aa..3412d6a 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -33,39 +33,6 @@ This repository implements: - Daily security scans - Weekly metrics collection -## Vulnerability Suppressions - -This repository uses OWASP Dependency Check for security scanning. Some vulnerabilities may be suppressed if: - -1. They are false positives -2. They affect only test/development dependencies -3. They have been assessed and determined to not be exploitable in our context - -### Suppression File - -Suppressions are managed in `suppressions.xml` in the root directory. Each suppression must include: - -- Detailed notes explaining why the vulnerability is suppressed -- Specific identifiers (CVE, package, etc.) -- Regular review date - -### Adding New Suppressions - -To add a new suppression: - -1. Add the entry to `suppressions.xml` -2. Include detailed notes explaining the reason -3. Create a PR with the changes -4. Get security team review - -### Reviewing Suppressions - -Suppressions are reviewed: - -- Monthly during security scans -- When related dependencies are updated -- During security audits - ## Security Best Practices When using these actions: @@ -75,7 +42,6 @@ When using these actions: 3. Validate all inputs 4. Set appropriate timeouts 5. Configure required security scanners: - - Add `suppressions.xml` for OWASP Dependency Check - Add `.gitleaks.toml` for Gitleaks configuration ## Required Secrets diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index c16a444..0000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,178 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json -name: Auto Merge - -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - - labeled - - unlabeled - check_suite: - types: - - completed - status: {} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: false # Don't cancel as this could leave PRs in inconsistent state - -permissions: - contents: read - checks: read - statuses: read - -jobs: - auto-merge: - name: 🤝 Auto Merge - runs-on: ubuntu-latest - timeout-minutes: 5 - - permissions: - contents: write - pull-requests: write - - steps: - - name: Check Required Secrets - id: check-secrets - run: | - # shellcheck disable=SC2016 - if [ -z "${{ secrets.APP_ID }}" ] || [ -z "${{ secrets.APP_PRIVATE_KEY }}" ]; then - echo "::warning::GitHub App credentials not configured. Using GITHUB_TOKEN instead." - echo "use_github_token=true" >> $GITHUB_OUTPUT - else - echo "use_github_token=false" >> $GITHUB_OUTPUT - fi - - - name: Generate Token - id: generate-token - if: steps.check-secrets.outputs.use_github_token == 'false' - uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514 # v1.11.2 - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.APP_PRIVATE_KEY }} - - - name: Auto Merge PR - uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4 - env: - GITHUB_TOKEN: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} - MERGE_LABELS: 'dependencies,automated-pr,!work-in-progress,!do-not-merge' - MERGE_METHOD: 'squash' - MERGE_COMMIT_MESSAGE: 'pull-request-title' - MERGE_RETRIES: '6' - MERGE_RETRY_SLEEP: '10000' - MERGE_REQUIRED_APPROVALS: '0' - MERGE_DELETE_BRANCH: 'true' - UPDATE_LABELS: 'automerge' - UPDATE_METHOD: 'rebase' - MERGE_ERROR_FAIL: 'false' - - - name: Check Merge Status - if: always() - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} - script: | - const { repo, owner } = context.repo; - const pr = context.payload.pull_request; - - if (!pr) return; - - try { - const status = await github.rest.pulls.get({ - owner, - repo, - pull_number: pr.number - }); - - if (status.data.merged) { - console.log(`PR #${pr.number} was successfully merged`); - - // Add merge success comment - await github.rest.issues.createComment({ - owner, - repo, - issue_number: pr.number, - body: '✅ Successfully auto-merged! Branch will be deleted.' - }); - } else { - console.log(`PR #${pr.number} is not merged. State: ${status.data.state}`); - - // Check merge blockers - if (status.data.mergeable_state === 'blocked') { - console.log('PR is blocked from merging. Check branch protection rules.'); - await github.rest.issues.createComment({ - owner, - repo, - issue_number: pr.number, - body: '⚠️ Auto-merge is blocked. Please check branch protection rules and resolve any conflicts.' - }); - } - - // Check if using reduced permissions - if ('${{ steps.check-secrets.outputs.use_github_token }}' === 'true') { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: pr.number, - body: '⚠️ Note: Running with reduced permissions as GitHub App credentials are not configured.' - }); - } - } - } catch (error) { - console.error('Error checking merge status:', error); - core.setFailed(`Failed to check merge status: ${error.message}`); - - // Add error comment to PR - try { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: pr.number, - body: `❌ Error checking merge status: ${error.message}` - }); - } catch (commentError) { - console.error('Failed to add error comment:', commentError); - } - } - - - name: Remove Labels on Failure - if: failure() - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} - script: | - const { repo, owner } = context.repo; - const pr = context.payload.pull_request; - - if (!pr) return; - - try { - // Remove automerge label - await github.rest.issues.removeLabel({ - owner, - repo, - issue_number: pr.number, - name: 'automerge' - }).catch(e => console.log('automerge label not found')); - - // Add merge-failed label - await github.rest.issues.addLabels({ - owner, - repo, - issue_number: pr.number, - labels: ['merge-failed'] - }); - - // Add failure comment - await github.rest.issues.createComment({ - owner, - repo, - issue_number: pr.number, - body: '❌ Auto-merge failed. The automerge label has been removed and merge-failed label added.' - }); - } catch (error) { - console.error('Error handling merge failure:', error); - } diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3f38a7e..857799c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -90,7 +90,6 @@ jobs: --enableRetired --enableExperimental --failOnCVSS 7 - --suppression suppressions.xml - name: Upload OWASP Results uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 diff --git a/suppressions.xml b/suppressions.xml deleted file mode 100644 index de49d41..0000000 --- a/suppressions.xml +++ /dev/null @@ -1,22 +0,0 @@ - - - - - Description of why this vulnerability is suppressed - CVE-2023-12345 - - - - - Package is only used in development - ^pkg:npm/dev\-dependency@.*$ - .* - - - - - Low severity issues in test dependencies - 4.0 - ^pkg:npm/test\-.*$ - -