From 66fe484f0df3905c14907e3e1bb6c2e7bf91dad8 Mon Sep 17 00:00:00 2001 From: yangjianbo Date: Tue, 6 Jan 2026 20:26:32 +0800 Subject: [PATCH] =?UTF-8?q?chore:=20=E5=88=A0=E9=99=A4=E4=BE=9D=E8=B5=96?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=96=87=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/dependency-security.md | 58 ------------------------------------- 1 file changed, 58 deletions(-) delete mode 100644 docs/dependency-security.md diff --git a/docs/dependency-security.md b/docs/dependency-security.md deleted file mode 100644 index 66545011..00000000 --- a/docs/dependency-security.md +++ /dev/null @@ -1,58 +0,0 @@ -# Dependency Security - -This document describes how dependency and toolchain security is managed in this repo. - -## Go Toolchain Policy (Pinned to 1.25.5) - -The Go toolchain is pinned to 1.25.5 to address known security issues. - -Locations that MUST stay aligned: -- `backend/go.mod`: `go 1.25.5` and `toolchain go1.25.5` -- `Dockerfile`: `GOLANG_IMAGE=golang:1.25.5-alpine` -- Workflows: use `go-version-file: backend/go.mod` and verify `go1.25.5` - -Update process: -1. Change `backend/go.mod` (go + toolchain) to the new patch version. -2. Update `Dockerfile` GOLANG_IMAGE to the same patch version. -3. Update workflows if needed and keep the `go version` check in place. -4. Run `govulncheck` and the CI security scan workflow. - -## Security Scans - -Automated scans run via `.github/workflows/security-scan.yml`: -- `govulncheck` for Go dependencies -- `gosec` for static security issues -- `pnpm audit` for frontend production dependencies - -Policy: -- High/Critical findings fail the build unless explicitly exempted. -- Exemptions must include mitigation and an expiry date. - -## Audit Exceptions - -Exception list location: `.github/audit-exceptions.yml` - -Required fields: -- `package` -- `advisory` (GHSA ID or advisory URL from pnpm audit) -- `severity` -- `mitigation` -- `expires_on` (recommended <= 90 days) - -Process: -1. Add an exception with mitigation details and an expiry date. -2. Ensure the exception is reviewed before expiry. -3. Remove the exception when the dependency is upgraded or replaced. - -## Frontend xlsx Mitigation (Plan A) - -Current mitigation: -- Use dynamic import so `xlsx` only loads during export. -- Keep export access restricted and data scope limited. - -## Rollback Guidance - -If a change causes issues: -- Go: revert `backend/go.mod` and `Dockerfile` to the previous version. -- Frontend: revert the dynamic import change if needed. -- CI: remove exception entries and re-run scans to confirm status.