From b37ebc2abb24f4f8f2df25454d9bf8fb4b81d24a Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Fri, 12 Jun 2026 23:18:28 -0400 Subject: [PATCH] ci(security-scan): add opt-in safedep/vet OSS dependency policy job - new `enable-vet` workflow_call input (default false; backward-compatible) - optional SAFEDEP_CLOUD_KEY/SAFEDEP_CLOUD_TENANT secrets (malware/zero-day) - `vet` job runs safedep/vet-action@v1.1.12 against the caller's .github/vet/policy.yml + .github/vet/exceptions.yml; soft-launch (continue-on-error) until callers seed exceptions and promote to required Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/security-scan.yml | 45 +++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 114989f..6293120 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -64,6 +64,14 @@ on: type: boolean required: false default: true + enable-vet: + description: > + Run safedep/vet OSS dependency policy scan against the caller repo's + .github/vet/policy.yml + .github/vet/exceptions.yml. Off by default; + soft-launch (non-blocking) until exceptions are seeded. + type: boolean + required: false + default: false submodules: description: > Checkout submodules for the CodeQL job (autobuild may need them). @@ -86,6 +94,12 @@ on: SNYK_TOKEN: description: Snyk token. Used only when enable-snyk is true. required: false + SAFEDEP_CLOUD_KEY: + description: SafeDep Cloud API key (optional; malware/zero-day analysis). Used only when enable-vet is true. + required: false + SAFEDEP_CLOUD_TENANT: + description: SafeDep Cloud tenant. Used only when enable-vet is true. + required: false permissions: contents: read @@ -93,6 +107,37 @@ permissions: pull-requests: read # dependency-review jobs: + # ── safedep/vet — OSS Dependency Policy ─────────────────────────────────── + # Malware (MAL-), critical/high vulns, license allowlist (npm/PyPI/NuGet), + # OpenSSF Scorecard maintenance/dangerous-workflow, popularity floor — gated + # by the caller's .github/vet/policy.yml. Soft-launch: non-blocking until the + # caller seeds .github/vet/exceptions.yml and promotes vet to a required check. + vet: + name: vet (OSS dependency policy) + if: ${{ inputs.enable-vet }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write # inline PR comments on changed deps + issues: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2 + with: + egress-policy: audit + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Run safedep/vet + uses: safedep/vet-action@6247cccd1b6683a27946ea3a0d45d3865346918b # v1.1.12 + with: + policy: .github/vet/policy.yml + exception-file: .github/vet/exceptions.yml + exclude: "**/vendor/**, .cargo/**, **/node_modules/**, **/target/**, .worktrees/**" + trusted-registries: "https://crates.io,https://registry.npmjs.org,https://pypi.org,https://api.nuget.org" + upload-sarif: false # private repos w/o GHAS — use step summary + cloud-key: ${{ secrets.SAFEDEP_CLOUD_KEY }} + cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT }} + continue-on-error: true # SOFT-LAUNCH: warn-only until promoted to required + # ── CodeQL ──────────────────────────────────────────────────────────────── # CodeQL is handled by GitHub's repo-level "default setup" (Settings → # Code security → CodeQL analysis). Running a matrix job here conflicts