You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Objective\nAdd Dependabot (GitHub Dependabot alerts/PRs), an npm audit CI step and CodeQL scanning for JavaScript/TypeScript as a complement to SonarCloud.\n\n## Context\nFollowing the SonarCloud integration, we should add a dedicated dependency and security scanning layer to detect vulnerable npm packages, supply chain issues, and CodeQL security query findings. SonarCloud focuses on code quality and some SAST rules, but SCA (Software Composition Analysis) and CodeQL security queries provide additional coverage.\n\n## Scope\n- Configure Dependabot for npm (.github/dependabot.yml) with a weekly update schedule and sensible ecosystem settings.\n- Add an npm audit job/step to CI that runs npm ci --ignore-scripts and npm audit --audit-level=moderate --json and fails or warns per policy.\n- Add a .github/workflows/codeql.yml workflow configured for javascript and typescript using the default CodeQL packs.\n- Document the remediation policy (reviewers, auto-merge rules, severity thresholds) in SECURITY.md or docs/.\n\n## Rationale\nSonarCloud is valuable for SAST and quality metrics, but third-party dependency vulnerabilities and CodeQL security detections are a different risk category. Combining SCA (Dependabot/npm audit) with CodeQL increases our defense-in-depth.\n\n## Benefits\n- Better detection of vulnerable npm packages and supply-chain issues.\n- Faster time-to-remediation for CVEs through Dependabot PRs.\n- Additional CodeQL detections for security anti-patterns not covered by SonarCloud.\n- Improves overall security posture and reduces dependency-regression risk.\n\n## Definition of Done\n- [ ] .github/dependabot.yml exists with an appropriate schedule and scope.\n- [ ] CI contains an npm audit job/step producing machine-readable output and enforcing the audit policy.\n- [ ] .github/workflows/codeql.yml is configured for javascript/typescript and enabled.\n- [ ] Documentation in SECURITY.md or docs/ describes the dependency remediation policy and CodeQL review process.\n- [ ] Labels/triage rules defined for Dependabot PRs (e.g., dependabot, security, priority:high).\n\n## Milestone\n1.0 Stabilize MVP
Objective\nAdd Dependabot (GitHub Dependabot alerts/PRs), an npm audit CI step and CodeQL scanning for JavaScript/TypeScript as a complement to SonarCloud.\n\n## Context\nFollowing the SonarCloud integration, we should add a dedicated dependency and security scanning layer to detect vulnerable npm packages, supply chain issues, and CodeQL security query findings. SonarCloud focuses on code quality and some SAST rules, but SCA (Software Composition Analysis) and CodeQL security queries provide additional coverage.\n\n## Scope\n- Configure Dependabot for npm (.github/dependabot.yml) with a weekly update schedule and sensible ecosystem settings.\n- Add an npm audit job/step to CI that runs npm ci --ignore-scripts and npm audit --audit-level=moderate --json and fails or warns per policy.\n- Add a .github/workflows/codeql.yml workflow configured for javascript and typescript using the default CodeQL packs.\n- Document the remediation policy (reviewers, auto-merge rules, severity thresholds) in SECURITY.md or docs/.\n\n## Rationale\nSonarCloud is valuable for SAST and quality metrics, but third-party dependency vulnerabilities and CodeQL security detections are a different risk category. Combining SCA (Dependabot/npm audit) with CodeQL increases our defense-in-depth.\n\n## Benefits\n- Better detection of vulnerable npm packages and supply-chain issues.\n- Faster time-to-remediation for CVEs through Dependabot PRs.\n- Additional CodeQL detections for security anti-patterns not covered by SonarCloud.\n- Improves overall security posture and reduces dependency-regression risk.\n\n## Definition of Done\n- [ ] .github/dependabot.yml exists with an appropriate schedule and scope.\n- [ ] CI contains an npm audit job/step producing machine-readable output and enforcing the audit policy.\n- [ ] .github/workflows/codeql.yml is configured for javascript/typescript and enabled.\n- [ ] Documentation in SECURITY.md or docs/ describes the dependency remediation policy and CodeQL review process.\n- [ ] Labels/triage rules defined for Dependabot PRs (e.g., dependabot, security, priority:high).\n\n## Milestone\n1.0 Stabilize MVP