docs: add RELEASES.md covering release notes + vulnerability-disclosure flow (Best Practices criteria)#271
Merged
Merged
Conversation
Semgrep Scan ResultsRepository:
Scanned at 2026-05-18 19:37 UTC |
Security Scan ResultsRepository:
Scanned at 2026-05-18 19:37 UTC |
Satisfies OpenSSF Best Practices bestpractices.dev criteria: - release_notes: documents that per-release human-readable notes live at https://github.com/simple-container-com/api/releases, auto-generated from PR titles (not raw git log) via gh release create --generate-notes in scripts/create-github-release.sh. - release_notes_vulns: documents the commit-subject convention (fix(security): / fix(deps): / hotfix:) that surfaces security changes in the release notes, plus how GitHub Security Advisories cross-link to the affected release. - report_archive: points at the public archive surfaces: - https://github.com/simple-container-com/api/issues - https://github.com/simple-container-com/api/pulls (closed) - https://github.com/simple-container-com/api/security/advisories Also covers: - 'How release notes are produced' (gh release create flow from push.yaml's docker-finalize job) - 'How to read a release for security implications' (per-tag step- by-step) - Release cadence (automatic prod on every merge to main; preview builds tagged but not turned into Releases; hotfixes use the same flow per PR #268 canonical example) - Cross-refs to SECURITY.md / CONTRIBUTING.md / MAINTAINERS.md / ARCHITECTURE.md / DEPENDENCIES.md / HARDENING.md so the doc reader can traverse the project documentation map. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
….02 + 05.03)
Closes OpenSSF Baseline OSPS-VM-05.03 ('changes MUST be automatically
evaluated against documented policy for malicious deps and known
vulnerabilities ... blocked in event of violations, except when
declared and suppressed as non-exploitable') and OSPS-VM-04.02
('vulnerabilities not affecting the project MUST be accounted for in
a VEX document').
Adds:
- .github/workflows/govulncheck.yml — runs govulncheck -mode=source
on every PR + push to main + Monday cron. Reachability-aware: fails
the build only if the vulnerability is actually reachable from our
call graph. This filters out the aws-sdk-go v1 s3crypto false
positives (GO-2022-0635, GO-2022-0646) without needing VEX consult
because govulncheck knows we don't call NewDecryptionClient /
NewEncryptionClient. SHA-pinned actions/checkout + actions/setup-go.
Concurrency-keyed by commit SHA (same pattern as codeql.yml +
fuzz.yml + dco.yml).
- vex/openvex.json — formal OpenVEX v0.2.0 document declaring
not_affected for GO-2022-0635 + GO-2022-0646. justification:
vulnerable_code_not_in_execute_path. impact_statement cites
govulncheck output as evidence. Consumed by VEX-aware tools
(Trivy --vex, Grype --vex) so they suppress correctly too.
This is the enforcement half of the SCA policy documented in
docs/DEPENDENCIES.md (next commit). Suppressions ONLY via VEX — no
.trivyignore, no # nosemgrep, no // nolint per project policy in
CONTRIBUTING.md.
Empirically verified: govulncheck -mode=source ./... currently
reports 'Your code is affected by 0 vulnerabilities.' so this gate
does NOT regress today's posture; it just enforces it going forward.
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
… 05.02 + 05.03)
Appends two new sections to docs/DEPENDENCIES.md:
'Remediation thresholds (SCA policy)' — closes OSPS-VM-05.01
('the project documentation MUST include a policy that defines a
threshold for remediation of SCA findings related to vulnerabilities
and licenses'):
- Severity table: CRITICAL 24h/7d, HIGH 30d, MEDIUM 90d, LOW
next-pass. SLA clock starts when govulncheck confirms reachability.
- License-allow table: MIT/Apache-2.0/BSD-3/BSD-2/ISC/MPL-2.0 ✅;
LGPL ⚠️ case-by-case; GPL/AGPL ❌ for runtime; unknown ❌.
'Pre-release SCA gate' — closes OSPS-VM-05.02 ('policy to address
SCA violations prior to any release') and the documentation half of
OSPS-VM-05.03. Production releases are cut automatically on every
merge to main, so 'pre-release' = 'pre-merge'. The gate runs on every
PR + push:
- govulncheck (.github/workflows/govulncheck.yml, previous commit) —
blocks on reachable Go advisories
- CodeQL — blocks on ERROR-severity findings
- Semgrep — blocks on ERROR-severity findings
- TruffleHog — blocks on verified secrets
- Dependabot — visibility (auto-PRs become blocking items via the SLA)
- Trivy/Grype — reports counts; will graduate to blocking on
HIGH/CRITICAL once VEX consumption wires in across the shared
security-scan workflow
'Suppressing a finding (non-exploitable / false positive)' — closes
the suppression half of OSPS-VM-05.03. Only sanctioned channel is
VEX (vex/openvex.json). .trivyignore / # nosemgrep / // nolint /
# noqa are NOT sanctioned suppression channels. Suppression flow is
itself documented policy: reachable findings without a VEX
not_affected entry block the merge.
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
….02) Closes OpenSSF Baseline OSPS-BR-07.02 — 'the project MUST define a policy for managing secrets and credentials used by the project. The policy should include guidelines for storing, accessing, and rotating secrets and credentials.' Covers: - Categories of secret (CI/CD vs prod runtime vs maintainer-personal vs Sigstore signing identity vs test fixtures) - Storing rules: no commit (TruffleHog + GitHub secret-scanning push- protection enforced), encrypted-at-rest only, no SOPS-in-repo, fixture placeholder requirements - Accessing rules: least-privilege per CI job (Scorecard Token-Permissions=10), no pull_request_target on untrusted-PR workflows, no secret values in logs, step-scoped env - Rotation cadence: CI publish tokens 90d, Cloudflare quarterly, GitHub PATs 90d, Sigstore Fulcio per-build, prod runtime per consumer policy - On-leak procedure: rotate immediately → audit platform logs → GHSA if affects published artifacts → document in post-mortem - Detection: TruffleHog + GitHub secret-scanning + Semgrep custom rules - Cross-references to SECURITY.md / MAINTAINERS.md / DEPENDENCIES.md / HARDENING.md Per-maintainer specific ACL membership intentionally not published here (kept in private SC team credential inventory) to avoid leaking attack surface, matching MAINTAINERS.md threat-model approach. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
….01)
Closes OpenSSF Baseline OSPS-DO-04.01 ('descriptive statement about
the scope and duration of support for each release') and
OSPS-DO-05.01 ('descriptive statement when releases or versions will
no longer receive security updates').
The previous 'Supported versions' section was vague ('most recent
calver release supported, older versions receive no patches').
Tightens this to two named subsections matching the Baseline criteria
labels:
Support scope (OSPS-DO-04.01):
- Continuous-calver model — production release cut on every merge to
main; supported version moves continuously. No LTS branch.
- Latest vYYYY.M.x: ✅ active support
- Previous vYYYY.M.x same month line: ✅ best-effort HIGH/CRIT back-
port per DEPENDENCIES.md SLA
- Older: ❌ no patches
End-of-life policy (OSPS-DO-05.01):
- A release is EOL the moment the next vYYYY.M.x ships
- No security updates to older releases (including HIGH/CRIT)
- Supported upgrade path = bump to latest
- Consumers should pin to a tag and update at least monthly
- Rationale spelled out: fewer than 5 active maintainers; LTS would
dilute attention on the active head; calver + reproducible verified
artifacts is the supported posture
- Exception process for regulatory/contractual constraints — case-
by-case, not part of the public policy
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
…ssions (GV-04.01) Closes OpenSSF Baseline OSPS-GV-04.01 — 'the project documentation MUST have a policy that code collaborators are reviewed prior to granting escalated permissions to sensitive resources.' Adds 'Promoting a contributor / Granting escalated permissions' section to MAINTAINERS.md with five named gates: 1. Track-record gate: 5+ merged PRs over >=3 months, demonstrated review-and-iterate behaviour, no suppression-policy violations. 2. Sponsorship gate: existing maintainer nomination + second from another maintainer (or project lead if only one) + contributor acceptance. 3. Account-hardening gate: 2FA verified on GitHub / Docker Hub / Cloudflare BEFORE any resource ACL change; SSH/GPG signing key registered + matches identity. 4. Least-privilege grant: only the credentials needed for declared work scope; per-credential ACL recorded in private inventory. 5. Probationary period: first 30 days co-reviewed by an existing maintainer. Also expands 'Adding or removing a maintainer (mechanics)' offboarding flow to cross-link SECRETS-POLICY.md rotation schedule (accelerated to immediate on offboard). Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Cre-eD
force-pushed
the
docs/releases-notes-and-vuln-process
branch
from
caf3000 to
d94b17b
Compare
Surfaces the bestpractices.dev Passing/Silver/Gold tier badge alongside the existing OpenSSF Baseline badge. Both link to the same project page; the Best Practices badge tracks the tier we earn from the self-attestation answers (which this PR's docs additions are meant to make Met-able). Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Closes the OpenSSF Best Practices code_of_conduct and documentation_roadmap criteria, surfaces both from the README so contributors land on them via the standard GitHub repo header. - docs/CODE_OF_CONDUCT.md: Contributor Covenant 2.1 verbatim with the reporting contact wired to creed@simple-container.com (consistent with docs/SECURITY.md + docs/MAINTAINERS.md security contacts). - docs/ROADMAP.md: rolling-release cadence note, Issues-label-driven state, current themes, "how a roadmap item becomes shipped code" flow pointing at CONTRIBUTING.md and MAINTAINERS.md. - README.md: extends the Contributing section to mention the CoC and adds a Roadmap section above License. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Closes the OpenSSF Best Practices governance criterion (how decisions on technical direction are made). - Adds a "Decision-making" subsection under Roles: consensus via PR review (enforced by branch protection), additional reviewers for security-sensitive paths per CONTRIBUTING.md, project-lead tiebreaker for contentious calls, link to ROADMAP.md for how triage shapes shipped work. - Removes the public reference to the internal hardening tracker on the offboarding line; the public-facing maintainer-side admin checklist is enough description for outside readers. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
The internal hardening tracker and control-matrix files (HARDENING.md, SECURITY-CONTROLS.md) are maintained out-of-tree while security work is in flight, so links to them produced broken navigation in the public repo. This commit replaces each reference with the public equivalent. - docs/RELEASES.md: drops the "Internal phase-by-phase hardening tracker" row from the release-notes destinations table; the cross-references section now points readers at ROADMAP.md for where planned + open security items surface in public. - docs/DEPENDENCIES.md: the image-scanning column drops the parenthetical pointer; the false-positive paragraph now correctly cites vex/openvex.json (OpenVEX not_affected statements) as the canonical channel and explicitly bans the suppression-file alternatives; the license-policy note reads "tracked internally". - docs/SECRETS-POLICY.md: removes the trailing bullet referencing the Phase 6 admin-UI checklist. - docs/CONTRIBUTING.md: the security-sensitive-change PR template now points contributors at SECURITY.md's STRIDE table + V1-V5 attack vectors instead of the internal tracker; clarifies the threat-model note should cover reachability and blast-radius. - docs/ARCHITECTURE.md: "Related security documentation" cross-refs now point only at public files (SECURITY/DEPENDENCIES/SECRETS-POLICY/ MAINTAINERS/RELEASES/ROADMAP). No code paths affected; this is a public-doc-only cleanup that keeps all working links inside the repo. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
smecsia
approved these changes
May 18, 2026
3 tasks
Cre-eD
added a commit
that referenced
this pull request
May 18, 2026
## Summary Eliminates the "cancelled" workflow runs that appeared on every PR's checks page for CodeQL and Go Fuzz. The cancellations were the SHA-keyed concurrency group dedup'ing two events fired on the same PR commit — `push: ['**']` and `pull_request: [main]` — and were not real failures. ## What was happening Every PR commit: ``` push <SHA> cancelled ← always the dedup'd twin pull_request <SHA> success ← actual scan ``` Confirmed via run-history audit on the last 10 runs of both workflows — every SHA-pair follows this exact pattern. The `pull_request` event consistently wins; the `push` event is consistently cancelled. No real CI failures. ## Why the `['**']` was there A previous change added `push: branches: ['**']` based on the assumption that scanning every branch push helps Scorecard's SAST coverage. Reading the Scorecard SAST check source ([`checks/raw/sast.go`](https://github.com/ossf/scorecard/blob/main/checks/raw/sast.go)) shows it actually scopes to **merged PRs on the default branch**, and asks whether SAST ran successfully on each PR's HEAD commit. Pushes to feature branches outside a PR are out of scope. ## What this PR does - `.github/workflows/codeql.yml`: `push: branches: [main]` (was `['**']`). - `.github/workflows/fuzz.yml`: same. The `pull_request: [main]` trigger is unchanged in both — every PR commit still gets a CodeQL + fuzz run. The post-merge `push: [main]` trigger picks up direct pushes to main. The SHA-keyed concurrency group is kept as-is so a manual rerun on the same commit still supersedes any in-flight run. ## Score impact **Zero.** - Scorecard SAST: every merged PR still has a successful CodeQL run on its HEAD via `pull_request`, which is what the SAST check counts. - Scorecard Fuzzing: this check is static-detection only — it asks whether a `*_fuzz_test.go` using `testing.F` exists and is wired into a workflow. Frequency of execution does not affect the score. ## Test plan - [ ] CI green on this PR (only `pull_request` runs — no `push` twin to cancel) - [ ] After merge: open a follow-up PR and confirm the CodeQL + Go Fuzz check entries appear exactly once (not twice with a cancellation) - [ ] Next Scorecard run after merge: SAST + Fuzzing scores unchanged ## Related - PR #264: original Codex round-2 SHA-keyed-dedup catch (kept; still correct for manual reruns). - PR #270 / #271: most recent Scorecard climb (7.8 → 9.3) — this PR is a UI/UX cleanup only, no climb expected. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Merged
6 tasks
Cre-eD
added a commit
that referenced
this pull request
May 19, 2026
…integration suite repair (#273) ## Summary Lays the foundation for climbing toward OpenSSF Best Practices statement-coverage targets (Silver ≥ 80 %, Gold ≥ 90 %). The repo was at ~16 % aggregate when this PR opened; this PR moves the needle to **~17.7 %** with first-pass unit tests in 12 packages, codifies the conventions every future test must follow, and repairs the integration suite so its broader code-path coverage can be merged in via a follow-up `gocovmerge` step. The PR is intentionally consolidated (no follow-up PRs spawned for each batch) — each `main` merge cuts a CalVer release, so we batch into a single landing. ## What's in (9 commits) | # | SHA | Scope | |---|---|---| | 1 | `b4c8667` | `docs(testing)`: `docs/TESTING.md` (gomega + table-driven + sub-tests + mockery v2.53.4 + `//go:build integration` policy + invocation cheatsheet + coverage targets), new `welder run coverage` task with entry-point + auto-gen-mock exclusion filter, link from `docs/CONTRIBUTING.md`. | | 2 | `dfef382` | `test(integration)`: tag the 2 remaining `*_integration_test.go` files (`pkg/security/` and `pkg/security/scan/`) so default `go test ./...` doesn't accidentally pull in cosign/syft/trivy dependencies. | | 3 | `555b733` | `test`: quick-win unit tests — `pkg/api/git/path_util` 0→92.9 %, `pkg/api/logger/color` 0→100 %, `pkg/clouds/fs` 0→84.6 %. | | 4 | `b968817` | `test`: `pkg/api/secrets/ciphers` 79.8→84.0 %, `pkg/api/logger` 0→100 %, `pkg/clouds/cloudflare` 0→83.3 %, `pkg/assistant/utils` 0→79.2 %. | | 5 | `860eb5c` | `test+fix`: `pkg/clouds/discord` 0→45.6 %, `pkg/clouds/mongodb` 0→83.3 %; **fixed a latent panic** in `intelligentTruncate` (negative-slice-bounds when `maxLength` is very small — unreachable from production today, but a defensive fallback to a simple end-trim with `"..."` suffix lands the test that would have caught it). | | 6 | `05e0c49` | `test`: `pkg/util` 5.9→32.6 % across `json.go` / `map.go` / `split.go` / `string.go` helpers. | | 7 | `d6b72b9` | `test`: `pkg/clouds/github` 0→13.4 % covering `ActionsCiCdConfig` + `EnhancedActionsCiCdConfig` getters, `SetDefaults`, `Validate`. | | 8 | `5a5bb80` | `test`: `pkg/api` 3.4→10.8 % — `ConfigFilePath`, `ConfigFile.ToYaml`, `ReadConfigFile` (file path + env-var paths + missing-file error), `UnmarshalDescriptor[T]`, `ReadDescriptor[T]`. | | 9 | `40075ef` | `test(integration)`: fix 3 stale API calls so `go test -tags integration ./...` compiles cleanly for the first time in months. Was a dead suite — nobody runs the tag, so `installer.CheckInstalled("cosign")` / `versionChecker.ValidateVersion(...)` (signatures changed) / `signing.CheckCosignInstalled` (removed) had drifted out of sync silently. | ## Per-package coverage delta | Package | Before | After | |---|---|---| | `pkg/api/logger` | 0 % | **100 %** | | `pkg/api/logger/color` | 0 % | **100 %** | | `pkg/api/git/path_util` | 0 % | **92.9 %** | | `pkg/clouds/fs` | 0 % | **84.6 %** | | `pkg/api/secrets/ciphers` | 79.8 % | **84.0 %** | | `pkg/clouds/cloudflare` | 0 % | **83.3 %** | | `pkg/clouds/mongodb` | 0 % | **83.3 %** | | `pkg/assistant/utils` | 0 % | **79.2 %** | | `pkg/clouds/discord` | 0 % | **45.6 %** | | `pkg/util` | 5.9 % | **32.6 %** | | `pkg/clouds/github` | 0 % | **13.4 %** | | `pkg/api` | 3.4 % | **10.8 %** | | **Repo-wide aggregate** | **~16.1 %** | **~17.7 %** | ## OpenSSF Best Practices criteria closed by `docs/TESTING.md` | Criterion | Source | |---|---| | `test_invocation` | Test-invocation cheatsheet section | | `test_continuous_integration` | CI section (refs `welder run test` + the new `coverage` task) | | `tests_documented_added` | "When tests are required" section + `docs/CONTRIBUTING.md` cross-link | | `test_policy_mandatory` | Same — codified policy with severity-by-change-type matrix | ## What this does NOT close yet - `test_statement_coverage80` / `test_statement_coverage90`: 17.7 % is a long way from Silver (80 %) and Gold (90 %). The realistic path is **not** more hand-written unit tests in isolation — it's wiring the existing integration + e2e suites into a merged coverage profile via `gocovmerge`. The integration suite is now compilable (commit 9); the next PR will: - install cosign / syft in CI, - run `go test -tags integration -coverprofile=int.cov`, - merge with `unit.cov` + (optionally) the existing `e2e_*_test.go` runs against the file-system Pulumi backend, - report the aggregate on every PR. - The existing pre-existing `pkg/provisioner.Test_Init/happy_path/initial_commit_is_present` failure on `main` is **not** addressed by this PR — it was failing before any of this work landed. ## Test plan - [x] `go test -count=1 -short ./pkg/...` — green (all newly-tested packages pass). - [x] `go vet -tags integration ./...` — clean (was 3 errors before commit 9). - [x] `go test -tags integration -run='^$' -count=1 ./...` — every integration package compiles and reports "no tests to run" (proves the tag-gated source is now buildable; full integration run requires cosign/syft/trivy installed). - [x] All 9 commits SSH-signed by verified key. - [ ] CI green on this PR. - [ ] After merge: open the gocovmerge-wiring follow-up. ## Related - PR #270 / #271 / #272: prior OpenSSF maturity work (Scorecard 7.8 → 9.3, Baseline + Best Practices badge criteria, CI cancellation-noise cleanup). - Follow-up (planned, same PR if scope allows, otherwise a separate dedicated CI-only PR per the org's "fewer merge-triggered releases" preference): merged coverage profile in `welder run coverage` + `.github/workflows/coverage.yml` posting a delta comment on every PR. --------- Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the remaining publicly-actionable OpenSSF Baseline + Best Practices criteria for project 12886. This PR grew from "ship
docs/RELEASES.md" into a comprehensive maturity-doc pass after going through the bestpractices.dev form — every claim made on the form now points at a file in this repo.PR #270 (signed-release pipeline + CONTRIBUTING/ARCHITECTURE) merged earlier today; #271 builds on top.
Commits (10)
e501057docs: add RELEASES.md— release-notes mechanics + vuln-disclosure flow8fb7f62ci: blocking govulncheck + OpenVEX— reachability-aware Go vuln gate +vex/openvex.json82e01bddocs(deps): SCA remediation policy—docs/DEPENDENCIES.mdf1f8b5adocs: SECRETS-POLICY.md— secret categorisation + rotation cadence1f4f387docs(security): EOL policy— support scope + end-of-lifed94b17bdocs(maintainers): collaborator-review policy— 5-gate promotion processfe4c95bdocs(readme): OpenSSF Best Practices badgee8d601ddocs: add CODE_OF_CONDUCT and ROADMAP, link from READMEdc34784docs(maintainers): document decision-making, drop internal-tracker reff86f087docs: remove internal-tracker references from public filesCloses (Baseline + Best Practices criteria)
docs/SECURITY.mddocs/SECURITY.mdprivate channelsdocs/SECURITY.mdSupport scopedocs/SECURITY.mdEnd-of-lifedocs/RELEASES.mddocs/SECURITY.mddocs/RELEASES.mdarchive URLsdocs/ARCHITECTURE.mddocs/MAINTAINERS.mddocs/MAINTAINERS.mdDecision-making subsection (new)docs/MAINTAINERS.md5-gate promotiongovulncheck.yml+docs/DEPENDENCIES.mddocs/DEPENDENCIES.mdLicense policy tabledocs/DEPENDENCIES.mdSelection processdocs/DEPENDENCIES.mdSLA tablevex/openvex.json+docs/DEPENDENCIES.md.github/workflows/govulncheck.yml+docs/DEPENDENCIES.mdcode_of_conductdocs/CODE_OF_CONDUCT.mdContributor Covenant 2.1documentation_roadmapdocs/ROADMAP.mdgovernancedocs/MAINTAINERS.mdDecision-making subsectionrelease_notes/release_notes_vulns/report_archivedocs/RELEASES.mdvulnerability_response_processdocs/SECURITY.mdcoding_standards/coding_standards_enforced.golangci.yml+ CI inbuild-staging.ymlForm-paste answers (URL + justification)
These are the laconic, public-safe answers being submitted to bestpractices.dev for project 12886:
https://github.com/simple-container-com/api/releases. Each prod release ships a GitHub Release with categorised PR-title summary (not rawgit log), auto-generated bygh release create --generate-notesinvoked fromscripts/create-github-release.sh. Mechanism documented indocs/RELEASES.md.fix(security):/fix(deps):/hotfix(...)subject conventions, surfaced in auto-generated notes. GHSA-IDs / CVE-IDs cited in commit bodies. GitHub Security Advisories (when published) cross-link to the affected release tag.https://github.com/simple-container-com/api/issues,https://github.com/simple-container-com/api/pulls?q=is%3Apr+is%3Aclosed,https://github.com/simple-container-com/api/security/advisories. All publicly readable + searchable via GitHub UI / REST.YYYY.M.X; no older minor branches maintained. Upgrade is re-running the signature-verified bootstrap (curl -s https://dist.simple-container.com/sc.sh | bash). Breaking changes called out in per-release notes.https://github.com/simple-container-com/api/issues.https://github.com/simple-container-com/api/security/advisoriesperdocs/SECURITY.md.https://github.com/simple-container-com/api/blob/main/docs/SECURITY.md.gofmt/go vet/staticcheck/golangci-lint. Config:.golangci.yml. Standard ref: https://go.dev/doc/effective_go..github/workflows/build-staging.ymlruns the checks on every PR; branch protection onmainblocks merge until they pass.CC/CFLAGSin the C-compiler sense; build flags pass via the Go toolchain's own conventions and thewelderbuild descriptor.-trimpathfor reproducibility; symbol tables retained by default (no-ldflags='-s -w'); no separate strip-on-install step.make.go.sumhashes all transitive deps;-trimpath; pinned toolchain ingo.mod; SHA-digest-pinned base images. Released binaries carry SLSA Build L3 provenance + CycloneDX SBOM.curl -s https://dist.simple-container.com/sc.sh | bash(cosign-verified). Uninstall =rm $(which sc)(single static binary). Same bootstrap on a newer release upgrades.https://github.com/simple-container-com/api/blob/main/docs/CODE_OF_CONDUCT.md(Contributor Covenant 2.1; enforcement contactcreed@simple-container.com).https://github.com/simple-container-com/api/blob/main/docs/ROADMAP.md.docs/MAINTAINERS.md(consensus via PR review enforced by branch protection; project-lead tiebreaker for contentious calls).Out of scope
dynamic_analysis(SUGGESTED) — SC is a CLI tool; native Go fuzz on the HMAC parse path (pkg/security/cache_fuzz_test.go) is covered separately by ScorecardFuzzing=10/10. Traditional DAST does not apply.Test plan
HARDENING.md/SECURITY-CONTROLS.md) in public docs (grep -rn 'HARDENING\.md\|SECURITY-CONTROLS' --include='*.md'returns empty)Build Setup,Analyze Go,govulncheck,Semgrep,Fuzz HMAC,TruffleHog,SBOM,DCO)Signed-Releasesclimbing (v2026.5.22 already published with.sigstore.json+.cosign-bundlesidecars; rescan dispatched 2026-05-18T19:30Z)Notes
The internal hardening tracker and control-matrix files (
HARDENING.md,SECURITY-CONTROLS.md) remain out-of-tree while security work is in flight; all public references have been replaced with their public equivalents in commitf86f087so navigation from inside the public repo never returns 404.