🛡️ Security Documentation
Comprehensive security measures implemented in conditional-paths-action
🔍 Static Analysis Security Testing (SAST)
CodeQL analysis runs on every commit to detect security vulnerabilities, including:
- Injection vulnerabilities
- Cross-site scripting (XSS)
- Insecure cryptographic practices
- Authentication and authorization flaws
🛡️ Dependency Vulnerability Scanning
Trivy scanner checks all dependencies for known vulnerabilities:
- CVE database matching
- CRITICAL and HIGH severity alerts
- Automated SARIF reporting
- GitHub Security tab integration
🔐 Secret Detection
GitLeaks scans for accidentally committed secrets:
- API keys and tokens
- Database credentials
- Private keys and certificates
- Custom regex patterns
📜 License Compliance
Automated license checking ensures legal compliance:
- Allowed licenses: MIT, ISC, BSD, Apache 2.0
- Source code header validation
- Dependency license scanning
- SBOM license documentation
🔒 GitHub Actions Security
All workflows follow security best practices:
- SHA-pinned action versions
- Minimal required permissions
- No untrusted input execution
- Secure artifact handling
Security Policy: For reporting security vulnerabilities, see our
Security Policy