From 04cff2ac31313840cf9bfd19ea43d7738e6211e7 Mon Sep 17 00:00:00 2001 From: Daniel Widgren Date: Tue, 14 Apr 2026 22:11:56 +0200 Subject: [PATCH] =?UTF-8?q?chore(security):=20hardening=20pass=20=E2=80=94?= =?UTF-8?q?=20SECURITY.md,=20dependabot,=20pin=20actions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add SECURITY.md with private vulnerability reporting policy - Add dependabot.yml for GitHub Actions and Go modules - Pin actions/checkout and actions/setup-go to SHA (was @v4/@v5) Addresses cross-cutting security review (2026-04-14). LICENSE already present. --- .github/dependabot.yml | 27 +++++++++++++++++++++++ .github/workflows/ci.yml | 4 ++-- SECURITY.md | 47 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0060b57 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,27 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "ci" + commit-message: + prefix: "ci" + include: "scope" + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "go" + commit-message: + prefix: "deps" + include: "scope" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f46e885..d3a1773 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,8 +10,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '1.26' - name: Vet diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..0d194b8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,47 @@ +# Security Policy + +## Reporting a vulnerability + +If you discover a security vulnerability in `asobi-cli`, please report it +**privately** so we can fix it before it is publicly disclosed. + +**Do not open a public GitHub issue for security issues.** + +### How to report + +Either of these channels work: + +- **GitHub Security Advisory (preferred):** + [Report privately](https://github.com/widgrensit/asobi-cli/security/advisories/new) +- **Email:** security@asobi.dev + +### What to expect + +- Acknowledgement within **48 hours** +- Initial assessment within **7 days** +- Coordinated disclosure timeline agreed with you +- Credit in the security advisory if you want it + +## Supported versions + +| Version | Supported | +|---------|-----------| +| latest stable | ✅ | +| older releases | ❌ — please upgrade | + +## Scope + +**In scope:** +- The `asobi-cli` Go binary (this repository) +- Stored credential format and the device-code login flow + +**Out of scope:** +- The hosted asobi.dev SaaS — see https://asobi.dev/security +- Third-party Go dependencies — please report upstream + +## Credential storage + +`asobi-cli` stores credentials at `~/.asobi/credentials.json` with mode +`0600`, in a directory with mode `0700`. The CLI does not transmit +credentials over unencrypted channels and uses ECDH+AES-GCM for the +initial device-code login exchange.