zhongwei/gh-project-codeguard-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:48:30 +08:00
commit 0f14e8d5a1
26 changed files with 2265 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
skills/software-security/rules/codeguard-0-supply-chain-security.md Normal file
View File

@@ -0,0 +1,50 @@
---
description: Dependency & supply chain security (pinning, SBOM, provenance, integrity, private registries)
languages:
- docker
- javascript
- yaml
alwaysApply: false
---
rule_id: codeguard-0-supply-chain-security
## Dependency & Supply Chain Security
Control thirdparty risk across ecosystems, from selection and pinning to provenance, scanning, and rapid response.
### Policy and Governance
- Maintain allowlisted registries and scopes; disallow direct installs from untrusted sources.
- Require lockfiles and version pinning; prefer digest pinning for images and vendored assets.
- Generate SBOMs for apps/images; store with artifacts; attest provenance (SLSA, Sigstore).
### Package Hygiene (npm focus applicable to others)
- Regularly audit (`npm audit`, ecosystem SCA) and patch; enforce SLAs by severity.
- Use deterministic builds: `npm ci` (not `npm install`) in CI/CD; maintain lockfile consistency.
- Avoid install scripts that execute on install when possible; review for risk.
- Use `.npmrc` to scope private registries; avoid wildcard registries; enable integrity verification.
- Enable account 2FA for publishing
### Development Practices
- Minimize dependency footprint; remove unused packages; prefer stdlib/firstparty for trivial tasks.
- Protect against typosquatting and protestware: pin maintainers, monitor releases, and use provenance checks.
- Hermetic builds: no network in compile/packaging stages unless required; cache with authenticity checks.
### CI/CD Integration
- SCA, SAST, IaC scans in gates; fail on criticals; require approvals for overrides with compensating controls.
- Sign artifacts; verify signatures at deploy; enforce policy in admission.
### Vulnerability Management
- For patched vulnerabilities: test and deploy updates; document any API breaking changes.
- For unpatched vulnerabilities: implement compensating controls (input validation, wrappers) based on CVE type; prefer direct dependency fixes over transitive workarounds.
- Document risk decisions; escalate acceptance to appropriate authority with business justification.
### Incident Response
- Maintain rapid rollback; isolate compromised packages; throttle rollouts; notify stakeholders.
- Monitor threat intel feeds (e.g., npm advisories); autoopen tickets for critical CVEs.
### Implementation Checklist
- Lockfiles present; integrity checks on; private registries configured.
- SBOM + provenance stored; signatures verified predeploy.
- Automated dependency updates with tests and review gates.
- Highsev vulns remediated within SLA or mitigated and documented.