Security hardening: secret scanning CI, Dockerfile supply-chain fixes, SECURITY.md

.github/workflows/secret-scanning.yml

@@ -0,0 +1,26 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2.3.9
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -69,6 +69,9 @@ ai_working/tmp
 # .claude-trace Logs
 .claude-trace
 
+# Exported session transcripts (may contain sensitive context)
+exported_transcripts/
+
 # Codex-specific artifacts and caches
 .codex-sessions/
 .codex-cache/

Dockerfile

@@ -11,16 +11,23 @@ RUN apt-get update && apt-get install -y \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Node.js (required for Claude Code)
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
-    && apt-get install -y nodejs
+# Install Node.js 20.x via GPG-verified apt repository (avoids curl | bash)
+RUN apt-get install -y gnupg \
+    && mkdir -p /etc/apt/keyrings \
+    && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+       | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+    && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" \
+       > /etc/apt/sources.list.d/nodesource.list \
+    && apt-get update \
+    && apt-get install -y nodejs \
+    && rm -rf /var/lib/apt/lists/*
 
-# Install Python 3.11
-RUN apt-get update && apt-get install -y python3.11 python3.11-venv python3.11-dev && rm -rf /var/lib/apt/lists/*
+# Install Python 3.11 and pip
+RUN apt-get update && apt-get install -y python3.11 python3.11-venv python3.11-dev python3-pip && rm -rf /var/lib/apt/lists/*
 
-# Install uv (Python package manager)
-RUN curl -LsSf https://astral.sh/uv/install.sh | sh
-ENV PATH="/root/.local/bin:/root/.cargo/bin:$PATH"
+# Install uv (Python package manager) via pip to avoid curl | sh supply-chain risk
+RUN pip3 install --no-cache-dir uv
+ENV PATH="/root/.local/bin:$PATH"
 ENV PNPM_HOME="/root/.local/share/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 

SECURITY.md

@@ -1,14 +1,39 @@
-<!-- BEGIN MICROSOFT SECURITY.MD V1.0.0 BLOCK -->
-
 ## Security
 
-Microsoft takes the security of our software products and services seriously, which
-includes all source code repositories in our GitHub organizations.
+We take security seriously. Please do **not** report security vulnerabilities through public GitHub issues.
+
+### Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly:
+
+1. **Open a [GitHub Security Advisory](https://github.com/acailic/amplifier-adding-codex/security/advisories/new)**
+   using the "Report a vulnerability" button on the
+   [Security tab](https://github.com/acailic/amplifier-adding-codex/security) of this repository.
+2. Include as much detail as possible: steps to reproduce, affected versions, potential impact,
+   and any suggested mitigations.
+3. Allow reasonable time (at least 90 days) for the maintainers to assess and address the issue
+   before any public disclosure.
+
+### Scope
+
+Security issues of interest include, but are not limited to:
+
+- Secret or credential exposure (hardcoded API keys, tokens, passwords)
+- Arbitrary code execution vulnerabilities
+- Privilege escalation or container escape in the Docker image
+- Supply-chain risks in the build process
+
+### Out of Scope
+
+- Issues already tracked publicly in the [issue tracker](https://github.com/acailic/amplifier-adding-codex/issues)
+- Vulnerabilities in upstream dependencies (please report those to their maintainers)
+- Theoretical vulnerabilities with no practical exploitability
 
-**Please do not report security vulnerabilities through public GitHub issues.**
+### Secrets & Environment Variables
 
-For security reporting information, locations, contact information, and policies,
-please review the latest guidance for Microsoft repositories at
-[https://aka.ms/SECURITY.md](https://aka.ms/SECURITY.md).
+This repository intentionally provides an `.env.example` template with **no real credentials**.
+Copy it to `.env` (git-ignored) and fill in your own secrets locally.
+**Never commit a `.env` file or any file containing real API keys.**
 
-<!-- END MICROSOFT SECURITY.MD BLOCK -->
+Automated secret scanning runs on every pull request and push to `main`
+via the [Secret Scanning workflow](.github/workflows/secret-scanning.yml).