docs(security): Split and consolidate security hardening guidance#49
Merged
Conversation
Document the organization preference for SLSA Build L3+ provenance, SBOM attestations, and linked artifacts metadata. Clarify when to use SLSA GitHub Generator, reusable workflow attestation, direct actions/attest, and SBOM release assets. Signed-off-by: Yunseo Kim <[email protected]>
Move OIDC and artifact verification details into the workflow hardening guide. Clarify SLSA GitHub Generator builder versus generator options and add the GitHub SLSA Level 3 attestation reference. Signed-off-by: Yunseo Kim <[email protected]>
Keep SECURITY.md focused on policy-level reporting, monitoring, and supply-chain requirements. Move detailed workflow and artifact verification guidance behind companion document links. Signed-off-by: Yunseo Kim <[email protected]>
Add a dependency defense overview that explains how lockfiles, updates, cooldowns, dependency review, and OSV scanning fit together. Nest Dependabot cooldown guidance under update automation and remove redundant comparison tables. Signed-off-by: Yunseo Kim <[email protected]>
Describe Source L3 as controls to follow wherever feasible rather than a guaranteed level for a 1-person organization. Require independent review when another trusted reviewer is available and call out human review for bot-authored PRs. Signed-off-by: Yunseo Kim <[email protected]>
Move release provenance, SBOM attestation, linked artifacts, and verification guidance into a dedicated security companion document. Leave workflow hardening focused on GitHub Actions permissions, runner security, action pinning, and OIDC configuration. Signed-off-by: Yunseo Kim <[email protected]>
Add the artifact attestation guide to the security policy companion document list and point release integrity guidance at it. Connect the SLSA Build L3 implementation notes and mitigation table to the new canonical attestation guide. Signed-off-by: Yunseo Kim <[email protected]>
Point custom release workflows toward the SLSA GitHub Generator generic generator README before adapting provenance examples. Clarify that the generic generator is the common fit for bespoke build and release jobs. Signed-off-by: Yunseo Kim <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SECURITY.mdto streamline the security policy overview and reduce duplication.docs/security/artifact-attestations.mdcompanion doc.docs/security/workflow-hardening.md.docs/security/dependency-security.mdanddocs/security/slsa-compliance-framework.mdto clarify dependency defense layers, feasible Source L3 controls, and release provenance guidance.SECURITY.mdand the companion docs. Splitting artifact attestations into their own doc and consolidating hardening guidance makes the policy easier to maintain and consume.Related Issues
Change Type
Changelog
Changelog update:
CHANGELOG.md[Unreleased]updatedChecklist
General
type(scope): SummaryCI/Workflow Changes (if applicable)
If this PR modifies GitHub Actions workflows or CI/CD configuration, it must comply with our Supply Chain Integrity requirements:
uses:references are pinned to full 40-character commit SHAs (with# vX.Y.Zcomment)step-security/harden-runneris included as the first step in every jobpermissionsare used instead of top-levelpermissionsProtocol / Compatibility Impact
If impacted, describe compatibility impact:
Testing
Describe test evidence:
bun run lint:mdandbun run format:checkwere run locally.Documentation
Rollout / Risk
Reviewer Checklist