Security Pipeline
I korthet
Four-layer automated security pipeline guarding every PR and deploy: Dependabot for grouped dependency updates, Gitleaks for secret-scanning with project-tuned rules, CodeQL for Python and TypeScript static analysis under the security-extended query suite, and Trivy for container-image scanning that blocks deploys on fixable Critical or High CVEs — all backed by a CVE policy with Critical 48 h / High 7 d / Medium 30 d SLAs and a public responsible-disclosure channel.
Så fungerar det
Dependabot runs weekly against every package ecosystem in the monorepo: npm for admin, app, www and packages/shared, pip for the API, and monthly for github-actions. Minor and patch updates are grouped per ecosystem so the team gets one PR per package manager per week instead of dozens of one-line bumps. Auto-merge can be enabled for low-risk groups; major version bumps stay manual.
Gitleaks runs on every PR (diff-mode, fast) and on every push to main (incremental over recent history). The rule set is project-tuned beyond the defaults: regex matchers for Stripe live and test keys, Azure connection strings, JWT private keys, Google OAuth client secrets and a generic high-entropy detector at threshold ≥ 4.5. A match blocks the PR; an incident report goes to security@ with the file, line and rule that fired so the human knows exactly what to rotate.
CodeQL covers Python on the API and TypeScript/JavaScript on admin, app, www and packages/shared. It runs on every PR and again every Sunday at 03:00 UTC for full sweeps that catch regressions a fast PR scan might miss. The query suite is security-extended (broader than the GitHub default) so SQL injection, command injection, prototype pollution and SSRF land in the dashboard rather than waiting for a researcher to find them.
Trivy is integrated into deploy-api.yml pre-push: every container image gets scanned before it lands in the Azure Container Registry. The deploy is blocked when Trivy finds a Critical or High CVE that has a fix-version available, on the principle that we should never knowingly deploy a known-fixed vulnerability. A SECURITY_OVERRIDE escape hatch exists for the rare case (third-party dependency with no patch yet, accepted-risk window), and using it auto-notifies #ops-alerts so security leadership cannot miss an override.
The CVE policy in docs/engineering/operations/cve-policy.md formalises the SLA matrix — Critical 48 h, High 7 d, Medium 30 d, Low best-effort — plus the responsible-disclosure pathway via security@petanque.life, the SECURITY_OVERRIDE process and a mandatory retrospective for any Critical incident. The repo-root SECURITY.md publishes the same disclosure policy externally, with scope, SLA and contact, so researchers know how to report safely without scraping the codebase for an email address.
Centrala funktioner
- Dependabot weekly PRs for npm and pip, monthly for github-actions, grouped by ecosystem
- Gitleaks secret-scan on every PR and push, with Stripe / Azure / JWT / Google OAuth / high-entropy rules
- CodeQL static analysis on Python and TypeScript with security-extended query suite
- Trivy container-image scan in deploy-api.yml blocking Critical/High CVEs with fix versions
- SECURITY_OVERRIDE escape hatch with automatic Slack notification to #ops-alerts
- CVE policy with SLA matrix (Critical 48 h, High 7 d, Medium 30 d) and mandatory Critical retrospectives
- Public SECURITY.md with responsible-disclosure scope, SLA and contact
I praktiken
Tuesday morning, Dependabot opens its weekly PR batch — four grouped npm bumps and one pip patch. Test suite green, auto-merge takes them all in. Wednesday afternoon a developer accidentally commits a Stripe test key in a debug log statement; Gitleaks blocks the PR within 30 seconds with the exact line, security@ gets paged, the key is rotated in Stripe before the PR can merge.
Friday a CodeQL sweep flags a possible SSRF in a feed importer; the team patches that day, well inside the High 7-day SLA. The next deploy of the API trips Trivy on a transitively-pulled CVE — Critical with a fix-version — the deploy blocks, the dependency is bumped, the deploy succeeds. Nothing reaches production with a known-fixed vulnerability.
Features i detta subsystem
6| ID | Status | Funktioner |
|---|---|---|
| F16.16.01 | Levererad | Dependabot — veckovisa PR:ar för npm (admin/app/www/packages/shared), pip (api) och månatliga för github-actions. Minor/patch grupperas per ekosystem. ✅ PL-T054 |
| F16.16.02 | Levererad | Gitleaks secret-scan — kör på varje PR (diff) och push (incremental). Anpassade regler för Stripe-nycklar, Azure connection strings, JWT private keys, Google OAuth-secrets och generiska high-entropy strings (entropi ≥ 4.5). ✅ PL-T054 |
| F16.16.03 | Levererad | CodeQL statisk analys — Python (api) + JavaScript/TypeScript (admin/app/www/shared). Kör på varje PR och veckovis (söndagar 03:00 UTC). security-extended query-suite. ✅ PL-T054 |
| F16.16.04 | Levererad | Trivy container-image-scan — integrerat i deploy-api.yml pre-push. Blockar deploy vid CRITICAL/HIGH CVE med fix-version. SECURITY_OVERRIDE-undantag med automatisk Slack-notifiering till #ops-alerts. ✅ PL-T054 |
| F16.16.05 | Levererad | CVE-policy (docs/engineering/operations/cve-policy.md) — sev-matris, responsible disclosure via security@petanque.life, SECURITY_OVERRIDE-process, retrospektivkrav för CRITICAL. ✅ PL-T054 |
| F16.16.06 | Levererad | SECURITY.md i repo-rot — publik responsible disclosure-policy med scope, SLA och kontakt. ✅ PL-T054 |