zhongwei/gh-cskiro-claudex-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-cskiro-claudex-devops-tools/skills/github-repo-setup/data/security-features.yaml
Zhongwei Li 2eeb6e60c6 Initial commit
2025-11-29 18:16:54 +08:00

107 lines
3.7 KiB
YAML
Raw Permalink Blame History

# GitHub Security Features Configuration
# Based on GitHub official best practices (2024-2025)
dependabot:
name: "Dependabot Alerts"
description: "Notify about security vulnerabilities in dependencies"
availability: "All repositories"
api_endpoint: "/repos/{owner}/{repo}/vulnerability-alerts"
method: "PUT"
required_modes: ["quick", "enterprise", "open-source", "private-team"]
automated_security_fixes:
name: "Dependabot Security Updates"
description: "Automatically create PRs to update vulnerable dependencies"
availability: "All repositories"
api_endpoint: "/repos/{owner}/{repo}/automated-security-fixes"
method: "PUT"
required_modes: ["enterprise", "open-source", "private-team"]
secret_scanning:
name: "Secret Scanning"
description: "Detect exposed secrets in code"
availability: "Public repos (free), Private repos (GitHub Advanced Security)"
api_endpoint: "/repos/{owner}/{repo}/secret-scanning"
method: "PUT"
required_modes: ["enterprise", "open-source"]
push_protection:
name: "Push Protection"
description: "Prevent pushing commits with detected secrets"
availability: "Requires secret scanning"
api_endpoint: "/repos/{owner}/{repo}/secret-scanning-push-protection"
method: "PUT"
required_modes: ["enterprise"]
code_scanning:
name: "Code Scanning (CodeQL)"
description: "Identify vulnerabilities and errors in code"
availability: "Public repos (free), Private repos (GitHub Advanced Security)"
implementation: "github-actions-workflow"
workflow_file: ".github/workflows/codeql.yml"
required_modes: ["enterprise"]
branch_protection:
name: "Branch Protection Rules"
description: "Protect important branches with required checks"
availability: "All repositories"
api_endpoint: "/repos/{owner}/{repo}/branches/{branch}/protection"
method: "PUT"
required_modes: ["enterprise", "private-team"]
rules:
required_pull_request_reviews:
required_approving_review_count: 1
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_status_checks:
strict: true
contexts: ["ci/test", "ci/lint"]
enforce_admins: false
restrictions: null
security_advisories:
name: "Private Vulnerability Reporting"
description: "Allow security researchers to privately report vulnerabilities"
availability: "Public repositories"
setup: "Repository Settings → Security → Enable private vulnerability reporting"
required_modes: ["open-source"]
security_policy:
name: "SECURITY.md"
description: "Document security policy and vulnerability reporting process"
location: "Root, .github/, or docs/"
required_modes: ["all"]
template: |
# Security Policy
## Supported Versions
Currently supported versions:
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
| < 1.0 | :x: |
## Reporting a Vulnerability
Please report security vulnerabilities to [security@example.com](mailto:security@example.com).
**Please do not report security vulnerabilities through public GitHub issues.**
You should receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible.
two_factor_authentication:
name: "Two-Factor Authentication"
description: "Require 2FA for all organization members"
availability: "Organization settings"
recommendation: "Enforce for all users with write access"
setup: "Organization Settings → Authentication security → Require two-factor authentication"
signed_commits:
name: "Commit Signature Verification"
description: "Verify commits are signed with GPG/SSH keys"
availability: "All repositories"
setup: "Branch protection → Require signed commits"
recommended_for: ["enterprise", "private-team"]
Reference in New Issue View Git Blame Copy Permalink