Skip to content
This repository was archived by the owner on Feb 15, 2026. It is now read-only.

security: add threat model, update docs, add govulncheck#5

Merged
NicolasRitouet merged 2 commits into
mainfrom
security/threat-model-and-ci
Feb 6, 2026
Merged

security: add threat model, update docs, add govulncheck#5
NicolasRitouet merged 2 commits into
mainfrom
security/threat-model-and-ci

Conversation

@NicolasRitouet

@NicolasRitouet NicolasRitouet commented Feb 6, 2026

Copy link
Copy Markdown
Member

Summary

  • Add SECURITY.md with complete threat model, trust boundaries diagram, deployment requirements, cryptographic details, and vulnerability disclosure policy
  • Update README.md: fix architecture diagram (was labeled "mTLS" but not implemented yet), add network isolation warning, document ENCRYPTION_KEYS multi-key format and GRPC_PORT
  • Add govulncheck step to GitHub Actions CI for automated dependency vulnerability scanning

Test plan

  • Review SECURITY.md for accuracy
  • Verify CI pipeline passes with new govulncheck step
  • Confirm README architecture diagram accurately reflects current state

🤖 Generated with Claude Code

NicolasRitouet and others added 2 commits February 6, 2026 05:13
- Add SECURITY.md with full threat model, trust boundaries,
  deployment requirements, and vulnerability disclosure policy
- Update README: fix architecture diagram (was incorrectly labeled
  mTLS), document network isolation requirement, add ENCRYPTION_KEYS
  and GRPC_PORT to configuration table
- Add govulncheck step to CI pipeline for dependency vulnerability
  scanning

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
govulncheck reports GO-2026-4337 (crypto/tls session resumption)
which is a stdlib vuln fixed in go1.24.13. Since we don't control
the Go release cycle, make govulncheck emit a warning instead of
failing the build for stdlib vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@NicolasRitouet
NicolasRitouet merged commit 7e2b780 into main Feb 6, 2026
2 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant