Skip to content

ci: add config and deployment security scanning#85

Merged
TannerTorrey3 merged 3 commits intomainfrom
ci/config-security-scanning
Mar 28, 2026
Merged

ci: add config and deployment security scanning#85
TannerTorrey3 merged 3 commits intomainfrom
ci/config-security-scanning

Conversation

@TannerTorrey3
Copy link
Copy Markdown
Contributor

@TannerTorrey3 TannerTorrey3 commented Mar 28, 2026
edited
Loading

Summary

  • Adds config-security.yml workflow with two jobs: Trivy misconfig scan and custom deployment policy checks
  • Custom script enforces: if auth is disabled or passwords are empty, all port bindings must be 127.0.0.1 (no public exposure)
  • Current docker-compose.yml and docker-compose.standalone.yml pass (they bind to localhost)
  • Catches regressions like 0.0.0.0 bindings or unqualified port:port mappings with auth disabled
  • Documents the new checks in CONTRIBUTING.md

Test plan

  • Script passes on current docker-compose.yml and docker-compose.standalone.yml
  • Script fails on 0.0.0.0 port binding with auth disabled
  • Script fails on unqualified port:port binding with auth disabled
  • CI workflow runs successfully on this PR

🤖 Generated with Claude Code

TannerTorrey3 and others added 3 commits March 28, 2026 15:10
@TannerTorrey3 @claude
chore: remove release-please in favor of manual tagging
e884306 
The release-please workflow, config, and manifest are redundant —
releases are managed via manual tags and the existing release.yml
workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@TannerTorrey3 @claude
ci: add config and deployment security scanning
2c6934b 
Adds a config-security workflow with two jobs:
- Trivy misconfig scanner for Docker/config file best practices
- Custom policy check enforcing the invariant: if auth is disabled
  or passwords are empty, all port bindings must be 127.0.0.1

Current docker-compose files pass (they bind to localhost). The check
catches regressions like switching to 0.0.0.0 or adding unqualified
port bindings while auth is disabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@TannerTorrey3 @claude
fix(ci): use correct trivy-action SHA matching security.yml
3d89c46 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@TannerTorrey3 TannerTorrey3 merged commit 130a68b into main Mar 28, 2026
8 checks passed
@josephismikhail josephismikhail deleted the ci/config-security-scanning branch April 1, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TannerTorrey3