Add SCA/SAST vulnerability remediation policy and release gates#750
Conversation
Document docs/VULNERABILITY_MANAGEMENT.md defining severity-based remediation SLAs for dependency vulnerabilities, dependency license violations, and static analysis findings, plus the identification/ prioritization/remediation process for each (OSPS-VM-05.01, OSPS-VM-06.01). Add an sca-scan CI job (npm audit + license-checker) that blocks merge on Critical/High findings or disallowed licenses, mirror it as a release-blocking sca-gate job in deploy.yml ahead of build-and-push (OSPS-VM-05.02), and add a CodeQL SAST workflow so findings referenced by the new policy are actually produced. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
There was a problem hiding this comment.
Code Review
This pull request introduces a new policy document, docs/VULNERABILITY_MANAGEMENT.md, which outlines Questarr's procedures for handling Software Composition Analysis (SCA) and Static Application Security Testing (SAST) findings. It also updates .github/SECURITY.md and README.md to link to this new document. The reviewer feedback consistently recommends replacing relative Markdown links with root-absolute paths (starting with /) across all modified files to ensure proper resolution in various GitHub rendering contexts, such as the Security tab.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 28680184f2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
- Add OFL-1.1 and Unlicense to the license-checker allow-list (real gaps: @fontsource-variable/inter and wouter use these) and pin license-checker to 25.0.1 instead of resolving unpinned at CI time. - Remove the custom codeql.yml workflow: this repo already has CodeQL default setup enabled, and GitHub rejects SARIF uploads from an "advanced" workflow while default setup is active, so the two can't coexist. Update docs/VULNERABILITY_MANAGEMENT.md §2.1 to describe default setup instead. - Switch internal doc links added in the previous commit to root-absolute paths so they resolve correctly in GitHub's Security tab and other rendering contexts. - Revert an incorrect prior commit that had accidentally left client/src/lib/downloads-utils.ts, server/storage.ts, and docs/API.md in a non-Prettier-compliant state. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
- Drop GPL-2.0/GPL-2.0-only from the SCA license allow-list (ci.yml, deploy.yml, docs/VULNERABILITY_MANAGEMENT.md): a GPLv2-only dependency isn't combinable into Questarr's GPL-3.0-only distribution without an "or later" clause or dual license, so it needs a reviewed exception rather than a blanket allow (Codex review). - Move deploy.yml's `packages: write` permission from workflow level to the build-and-push job that actually needs it, so the new sca-gate job (and any future job) doesn't inherit write access it has no use for (SonarCloud finding). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
|
Cross-checked against #748: that PR's Also fixed in the latest pushes: added the missing Generated by Claude Code |
Without a permissions block, jobs run with the default broad GITHUB_TOKEN scope; none of ci.yml's jobs need more than read access to repo contents. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
|



Summary
docs/VULNERABILITY_MANAGEMENT.md, a new policy document defining severity-based remediation SLAs (Critical/High/Moderate/Low) for both Software Composition Analysis (dependency vulnerabilities and licenses) and Static Application Security Testing (first-party code) findings, along with the identification → prioritization → remediation process for each (OSPS-VM-05.01, OSPS-VM-06.01).sca-scanjob to.github/workflows/ci.ymlthat runsnpm audit --omit=dev --audit-level=highand alicense-checkerallow-list check on every push/PR, blocking merge on Critical/High vulnerabilities or disallowed dependency licenses.sca-gatejob in.github/workflows/deploy.yml, required beforebuild-and-push, so a fresh advisory published aftermainwas merged still blocks the release (OSPS-VM-05.02)..github/workflows/codeql.yml(CodeQL,security-extendedqueries) to actually produce the SAST findings the new policy governs, on PR/push and a weekly schedule..github/SECURITY.mdandREADME.mdalongside the existing security docs.Test plan
npm audit --omit=dev --audit-level=highpasses cleanly against the current lockfile.npx license-checker --production --summary --onlyAllow "..."passes against current production dependencies.yaml.safe_load.npx prettier --checkon all changed/added Markdown and workflow files.sca-scan,build,docker-build) and the newCodeQL SASTworkflow both run green on this PR.🤖 Generated with Claude Code
https://claude.ai/code/session_012Jqinh3xyPec4tVMs8iohq
Generated by Claude Code