Skip to content

Add SCA/SAST vulnerability remediation policy and release gates#750

Merged
Doezer merged 5 commits into
mainfrom
claude/sca-sast-remediation-policies-oixe7b
Jul 3, 2026
Merged

Add SCA/SAST vulnerability remediation policy and release gates#750
Doezer merged 5 commits into
mainfrom
claude/sca-sast-remediation-policies-oixe7b

Conversation

@Doezer

@Doezer Doezer commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add docs/VULNERABILITY_MANAGEMENT.md, a new policy document defining severity-based remediation SLAs (Critical/High/Moderate/Low) for both Software Composition Analysis (dependency vulnerabilities and licenses) and Static Application Security Testing (first-party code) findings, along with the identification → prioritization → remediation process for each (OSPS-VM-05.01, OSPS-VM-06.01).
  • Add an sca-scan job to .github/workflows/ci.yml that runs npm audit --omit=dev --audit-level=high and a license-checker allow-list check on every push/PR, blocking merge on Critical/High vulnerabilities or disallowed dependency licenses.
  • Mirror that check as a release-blocking sca-gate job in .github/workflows/deploy.yml, required before build-and-push, so a fresh advisory published after main was merged still blocks the release (OSPS-VM-05.02).
  • Add .github/workflows/codeql.yml (CodeQL, security-extended queries) to actually produce the SAST findings the new policy governs, on PR/push and a weekly schedule.
  • Link the new policy from .github/SECURITY.md and README.md alongside the existing security docs.

Test plan

  • npm audit --omit=dev --audit-level=high passes cleanly against the current lockfile.
  • npx license-checker --production --summary --onlyAllow "..." passes against current production dependencies.
  • YAML validity of all three modified/added workflow files checked with yaml.safe_load.
  • npx prettier --check on all changed/added Markdown and workflow files.
  • Confirm CI (sca-scan, build, docker-build) and the new CodeQL SAST workflow both run green on this PR.

🤖 Generated with Claude Code

https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq


Generated by Claude Code

claude added 2 commits July 3, 2026 08:28
Document docs/VULNERABILITY_MANAGEMENT.md defining severity-based
remediation SLAs for dependency vulnerabilities, dependency license
violations, and static analysis findings, plus the identification/
prioritization/remediation process for each (OSPS-VM-05.01, OSPS-VM-06.01).

Add an sca-scan CI job (npm audit + license-checker) that blocks merge
on Critical/High findings or disallowed licenses, mirror it as a
release-blocking sca-gate job in deploy.yml ahead of build-and-push
(OSPS-VM-05.02), and add a CodeQL SAST workflow so findings referenced
by the new policy are actually produced.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new policy document, docs/VULNERABILITY_MANAGEMENT.md, which outlines Questarr's procedures for handling Software Composition Analysis (SCA) and Static Application Security Testing (SAST) findings. It also updates .github/SECURITY.md and README.md to link to this new document. The reviewer feedback consistently recommends replacing relative Markdown links with root-absolute paths (starting with /) across all modified files to ensure proper resolution in various GitHub rendering contexts, such as the Security tab.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .github/SECURITY.md Outdated
Comment thread README.md Outdated
Comment thread docs/VULNERABILITY_MANAGEMENT.md Outdated
Comment thread docs/VULNERABILITY_MANAGEMENT.md Outdated
Comment thread docs/VULNERABILITY_MANAGEMENT.md
Comment thread docs/VULNERABILITY_MANAGEMENT.md
Comment thread docs/VULNERABILITY_MANAGEMENT.md
Comment thread docs/VULNERABILITY_MANAGEMENT.md Outdated
Comment thread docs/VULNERABILITY_MANAGEMENT.md Outdated
Comment thread docs/VULNERABILITY_MANAGEMENT.md
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 28680184f2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml Outdated
claude added 2 commits July 3, 2026 08:38
- Add OFL-1.1 and Unlicense to the license-checker allow-list (real
  gaps: @fontsource-variable/inter and wouter use these) and pin
  license-checker to 25.0.1 instead of resolving unpinned at CI time.
- Remove the custom codeql.yml workflow: this repo already has CodeQL
  default setup enabled, and GitHub rejects SARIF uploads from an
  "advanced" workflow while default setup is active, so the two can't
  coexist. Update docs/VULNERABILITY_MANAGEMENT.md §2.1 to describe
  default setup instead.
- Switch internal doc links added in the previous commit to
  root-absolute paths so they resolve correctly in GitHub's Security
  tab and other rendering contexts.
- Revert an incorrect prior commit that had accidentally left
  client/src/lib/downloads-utils.ts, server/storage.ts, and
  docs/API.md in a non-Prettier-compliant state.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
- Drop GPL-2.0/GPL-2.0-only from the SCA license allow-list (ci.yml,
  deploy.yml, docs/VULNERABILITY_MANAGEMENT.md): a GPLv2-only dependency
  isn't combinable into Questarr's GPL-3.0-only distribution without an
  "or later" clause or dual license, so it needs a reviewed exception
  rather than a blanket allow (Codex review).
- Move deploy.yml's `packages: write` permission from workflow level to
  the build-and-push job that actually needs it, so the new sca-gate
  job (and any future job) doesn't inherit write access it has no use
  for (SonarCloud finding).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq

Doezer commented Jul 3, 2026

Copy link
Copy Markdown
Owner Author

Cross-checked against #748: that PR's codeql.yml hits the same CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled error this PR's did — CodeQL default setup is already enabled repo-wide (see docs/SECURITY_ASSESSMENT.md), and GitHub blocks any custom/advanced CodeQL workflow from coexisting with it. I removed the codeql.yml this PR added and pointed docs/VULNERABILITY_MANAGEMENT.md §2.1 at default setup instead — no workflow needed for SAST scanning here. #748 will need the same fix (drop its codeql.yml, or the repo owner disables default setup first) before it can go green.

Also fixed in the latest pushes: added the missing OFL-1.1/Unlicense licenses to the SCA allow-list (real dependencies use them), dropped GPL-2.0/GPL-2.0-only from the allow-list per review feedback (not combinable into this repo's GPL-3.0-only distribution without an "or later" clause), and scoped deploy.yml's packages: write permission down to the job that needs it instead of the whole workflow.


Generated by Claude Code

Without a permissions block, jobs run with the default broad
GITHUB_TOKEN scope; none of ci.yml's jobs need more than read access
to repo contents.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
@sonarqubecloud

sonarqubecloud Bot commented Jul 3, 2026

Copy link
Copy Markdown

@Doezer Doezer merged commit f9ff44f into main Jul 3, 2026
11 checks passed
@Doezer Doezer deleted the claude/sca-sast-remediation-policies-oixe7b branch July 3, 2026 09:38
@Doezer Doezer mentioned this pull request Jul 3, 2026
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants