Skip to content

Security & governance baseline: 30 Dependabot alerts, no branch protection, missing standard configs #546

Description

@turbomam

Summary

The repo is missing the standard GitHub security/governance baseline and carries 30 open Dependabot alerts: 1 critical, 9 high, 16 medium, 4 low. See the Security tab for details. Alerts are already enabled (the 30 are visible); the gap is the rest of the baseline plus the security-updates toggle that would auto-open fix PRs.

berkeleybop/metpo has every item below configured and works as a copy-from template.

Each gap is small; together they are a coherent hygiene cluster worth addressing.

Baseline gaps

Missing Purpose Effort
Branch protection on master Require passing checks; block force-push and deletion Settings toggle
Dependabot security updates Auto-open fix PRs for the 30 existing alerts (separate toggle from dependabot.yml) Settings toggle
Secret scanning + push protection Block committed credentials at push time Settings toggle
.github/dependabot.yml Auto-propose dependency version upgrades (pip + github-actions) Single-file PR
CodeQL (Default setup) Free static security analysis; prefer Settings, Code security, Code scanning, Default setup over a codeql.yml template since there is no build step Settings toggle
dependency-review-action in CI Fail a PR that adds a vulnerable or bad-license dependency Single-file PR
Pin Actions to commit SHAs + zizmor workflow (pinact to maintain) Close the mutable-tag supply-chain gap; lint the workflows Single-file PR
SECURITY.md Vulnerability reporting policy Single-file PR
CODEOWNERS Auto-request reviews from owners of touched paths Requires owner decisions
.pre-commit-config.yaml Local lint/format gate Single-file PR

Optional, lower priority: OpenSSF Scorecard action for a public-facing security score.

Suggested order

  1. Branch protection on master (stops the bleed first)
  2. Dependabot security updates toggle + secret scanning/push protection (toggles, immediate value)
  3. dependabot.yml + CodeQL Default setup + dependency-review-action (cheap, automated)
  4. SHA-pin Actions + zizmor
  5. SECURITY.md
  6. CODEOWNERS and .pre-commit-config.yaml (need team input)
Why branch protection first

Right now master has no required checks, no force-push block, and no deletion block (gh api repos/Knowledge-Graph-Hub/kg-microbe/branches/master/protection returns 404). Every subsequent hygiene PR relies on the base branch being stable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions