From ea9b2c5e20b507e91846d07343c553d955984ecb Mon Sep 17 00:00:00 2001 From: Koji Takao Date: Wed, 21 Jan 2026 22:39:50 +0900 Subject: [PATCH 1/2] Add security scanning and Dependabot configuration - Add security.yml workflow with Brakeman (SAST) and Bundle Audit - Add dependabot.yml for automated dependency updates - Schedule weekly security scans on Mondays - Group dependency updates by type (development/production) Co-Authored-By: Claude Opus 4.5 --- .github/dependabot.yml | 27 ++++++++++++++++++++++ .github/workflows/security.yml | 42 ++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..ec87ae9d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,27 @@ +version: 2 +updates: + - package-ecosystem: "bundler" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 10 + groups: + development-dependencies: + dependency-type: "development" + production-dependencies: + dependency-type: "production" + commit-message: + prefix: "deps" + labels: + - "dependencies" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + commit-message: + prefix: "ci" + labels: + - "ci" diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 00000000..2f85d347 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,42 @@ +name: Security + +on: + push: + branches: [master] + pull_request: + branches: ['**'] + schedule: + - cron: '0 0 * * 1' # Every Monday at 00:00 UTC + +jobs: + brakeman: + name: Brakeman (Static Analysis) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.3' + - name: Install Brakeman + run: gem install brakeman + - name: Run Brakeman + run: brakeman --no-pager -w2 --skip-files test/ + + bundle-audit: + name: Bundle Audit (Dependency Check) + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.3' + - name: Install dependencies + run: bundle install --jobs 4 --retry 3 + - name: Install bundle-audit + run: gem install bundler-audit + - name: Update vulnerability database + run: bundle-audit update + - name: Run bundle-audit + run: bundle-audit check From 8677ba2dffa016f2a41286d03849982dcc92fd4c Mon Sep 17 00:00:00 2001 From: Koji Takao Date: Wed, 21 Jan 2026 22:41:24 +0900 Subject: [PATCH 2/2] Remove Brakeman (not suitable for gem libraries) Brakeman requires a Rails application structure. This project is a Ruby gem library, so only Bundle Audit is needed for security scanning. Co-Authored-By: Claude Opus 4.5 --- .github/workflows/security.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2f85d347..4cb8ceeb 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -9,20 +9,6 @@ on: - cron: '0 0 * * 1' # Every Monday at 00:00 UTC jobs: - brakeman: - name: Brakeman (Static Analysis) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.3' - - name: Install Brakeman - run: gem install brakeman - - name: Run Brakeman - run: brakeman --no-pager -w2 --skip-files test/ - bundle-audit: name: Bundle Audit (Dependency Check) runs-on: ubuntu-latest