feat: Add comprehensive GitHub Security features

tknecht · claude · tknecht · commit be338c2cf9ec · 2025-11-24T14:01:39.000+01:00
- Add CodeQL security scanning workflow - Extended security queries for comprehensive analysis - Runs on push, PR, and weekly schedule - Python-specific vulnerability detection - Add Dependency Review workflow - PR-based vulnerability scanning - Blocks moderate+ severity vulnerabilities - Denies GPL-3.0 and AGPL-3.0 licenses - Comments security findings on PRs - Configure Dependabot automation - Weekly pip dependency updates - Weekly GitHub Actions updates - Grouped minor/patch updates for dev dependencies - Separate patches for production dependencies - Automatic PR creation with labels - Add SECURITY.md policy - Vulnerability reporting guidelines - Responsible disclosure process - Security update timeline commitments - Comprehensive security feature documentation - Update README with security badges - CodeQL workflow status badge - Security policy reference badge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,54 @@
+version: 2
+updates:
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "xarf/maintainers"
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+    # Group minor and patch updates
+    groups:
+      development-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+      production-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+    # Security updates always separate
+    allow:
+      - dependency-type: "all"
+    ignore:
+      # Ignore specific versions if needed
+      # - dependency-name: "package-name"
+      #   versions: ["1.x", "2.x"]
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,46 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run weekly on Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports: 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # Extended queries for comprehensive security analysis
+        queries: security-extended,security-and-quality
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+name: 'Dependency Review'
+
+on:
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          # Fail if vulnerabilities found
+          fail-on-severity: moderate
+          # Block banned licenses
+          deny-licenses: GPL-3.0, AGPL-3.0
+          # Comment on PR with details
+          comment-summary-in-pr: on-failure
diff --git a/README.md b/README.md
@@ -1,9 +1,11 @@
 # XARF v4 Python Parser
 
 [![CI](https://github.com/xarf/xarf-python/actions/workflows/ci.yml/badge.svg)](https://github.com/xarf/xarf-python/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/xarf/xarf-python/actions/workflows/codeql.yml/badge.svg)](https://github.com/xarf/xarf-python/actions/workflows/codeql.yml)
 [![PyPI version](https://badge.fury.io/py/xarf-parser.svg)](https://pypi.org/project/xarf-parser/)
 [![Python versions](https://img.shields.io/pypi/pyversions/xarf-parser.svg)](https://pypi.org/project/xarf-parser/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Security Policy](https://img.shields.io/badge/Security-Policy-blue.svg)](SECURITY.md)
 
 A Python library for parsing, validating, and generating XARF v4 (eXtended Abuse Reporting Format) reports.
 
@@ -163,7 +165,7 @@ from xarf.validation import validate_xarf_report
 
 # Schema URLs reference the spec repository
 validation_result = validate_xarf_report(
-    report_json, 
+    report_json,
     schema_url="https://raw.githubusercontent.com/xarf/xarf-spec/main/schemas/v4/xarf-v4-master.json"
 )
 ```
@@ -470,7 +472,7 @@ This project uses two GitHub Actions workflows:
 We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.
 
 - **Bug Reports**: Use GitHub Issues
-- **Feature Requests**: Discuss in GitHub Discussions  
+- **Feature Requests**: Discuss in GitHub Discussions
 - **Pull Requests**: Follow our coding standards
 - **Testing**: Add tests for new features
 
@@ -492,7 +494,7 @@ MIT License - See [LICENSE](LICENSE) for details.
 This project follows semantic versioning with alpha/beta releases:
 
 - `4.0.0a1`, `4.0.0a2` - Alpha releases (current)
-- `4.0.0b1`, `4.0.0b2` - Beta releases (planned)  
+- `4.0.0b1`, `4.0.0b2` - Beta releases (planned)
 - `4.0.0` - Stable release (Q2 2024)
 
 ## 🎯 Roadmap
@@ -534,4 +536,4 @@ This project follows semantic versioning with alpha/beta releases:
 
 ---
 
-**Note:** This library implements the official [XARF v4 specification](https://xarf.org/docs/specification/). Always refer to the specification for authoritative technical details.
+**Note:** This library implements the official [XARF v4 specification](https://xarf.org/docs/specification/). Always refer to the specification for authoritative technical details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,127 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support and provide security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x.x   | :white_check_mark: |
+| 1.x.x   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security issue in XARF Python Parser, please report it responsibly.
+
+### How to Report
+
+**Please DO NOT report security vulnerabilities through public GitHub issues.**
+
+Instead, report security vulnerabilities by:
+
+1. **Email**: Send details to security@xarf.org
+2. **Private Advisory**: Use GitHub's [private security advisory feature](https://github.com/xarf/xarf-python/security/advisories/new)
+
+### What to Include
+
+When reporting a vulnerability, please include:
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Affected versions
+- Potential impact assessment
+- Any proof-of-concept code (if applicable)
+- Your name/handle for credit (optional)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours of report
+- **Initial Assessment**: Within 5 business days
+- **Status Updates**: Every 7 days until resolution
+- **Fix Timeline**: Critical issues within 30 days, others within 90 days
+
+### Disclosure Policy
+
+- We will coordinate public disclosure with you
+- Security advisories will be published after fixes are released
+- We credit security researchers in advisories (unless you prefer to remain anonymous)
+
+## Security Features
+
+This project implements multiple security layers:
+
+### Automated Scanning
+
+- **CodeQL Analysis**: Deep semantic security analysis (weekly + on PRs)
+- **Dependency Review**: PR-based vulnerability scanning
+- **Dependabot**: Automated dependency security updates
+- **Secret Scanning**: Detects committed credentials
+- **Bandit**: Python-specific security linter in CI
+
+### Code Quality Gates
+
+All pull requests must pass:
+
+- Static security analysis (Bandit)
+- Type safety checks (MyPy strict mode)
+- Dependency vulnerability scans
+- Code complexity limits (Radon)
+
+### Security Best Practices
+
+Our codebase follows:
+
+- Strict type hints for safety
+- Input validation via Pydantic models
+- No hardcoded credentials
+- Principle of least privilege
+- Regular dependency updates
+
+## Known Security Considerations
+
+### XARF Report Processing
+
+When processing XARF reports:
+
+1. **Input Validation**: All reports are validated against JSON schema
+2. **Email Parsing**: Uses python-email-validator for safe email processing
+3. **Date Handling**: Uses python-dateutil for timezone-aware parsing
+4. **No Code Execution**: Parser does not execute any user-provided code
+
+### Dependencies
+
+We actively monitor and update dependencies for security issues:
+
+- Automated Dependabot updates for vulnerabilities
+- Grouped minor/patch updates for development dependencies
+- Individual PRs for production dependency major updates
+
+## Security Updates
+
+Security updates are released as:
+
+- **Critical**: Immediate patch release
+- **High**: Patch release within 7 days
+- **Moderate**: Included in next minor release
+- **Low**: Included in next release cycle
+
+Subscribe to [GitHub Security Advisories](https://github.com/xarf/xarf-python/security/advisories) for notifications.
+
+## Responsible Disclosure
+
+We are committed to working with security researchers under responsible disclosure guidelines:
+
+1. Allow reasonable time for fixes before public disclosure
+2. Avoid privacy violations and data destruction
+3. Do not exploit vulnerabilities beyond proof-of-concept
+4. Respect user privacy and data protection regulations
+
+## Security Hall of Fame
+
+We recognize security researchers who help improve our security:
+
+<!-- Security researchers will be listed here after coordinated disclosure -->
+
+---
+
+For general inquiries or questions about this policy, contact: security@xarf.org
