28 lines
770 B
YAML
28 lines
770 B
YAML
name: security
|
|
extends: [security] # from core; specialize platform checks
|
|
description: |
|
|
Mode specialization for platform-aware checks (headers/CSP, IAM, SBOM, supply-chain).
|
|
used_by: [Iris, Mina, Leo, Blake]
|
|
triggers:
|
|
- deps_changed
|
|
- sbom_update_needed
|
|
- contains_secrets
|
|
- iam_or_policy_change
|
|
inputs_required:
|
|
- sbom_tool (syft/cyclonedx)
|
|
- scanning_tool (grype/trivy)
|
|
- policy_diff (IAM/RLS/CSP)
|
|
outputs:
|
|
- security-report.md
|
|
- sbom.json
|
|
principles:
|
|
- Shift-left: check early; block risky merges.
|
|
- Signed artifacts; pinned versions.
|
|
checklist:
|
|
- [ ] SBOM updated and scanned
|
|
- [ ] Secrets scans pass (no leak/noise triaged)
|
|
- [ ] CSP/headers validated in staging
|
|
- [ ] IAM/RLS diffs approved
|
|
hooks:
|
|
- before_pr
|
|
- before_merge |