deps: update mkdocs-material requirement from <10,>=9.5 to >=9.7.6,<10#5
Open
dependabot[bot] wants to merge 23 commits into
Open
deps: update mkdocs-material requirement from <10,>=9.5 to >=9.7.6,<10#5dependabot[bot] wants to merge 23 commits into
dependabot[bot] wants to merge 23 commits into
Conversation
Ten cross-cutting topics plus per-language sub-handbooks for Java (JDK 17+), Python (3.11+), Go (1.21+), and JavaScript/TypeScript (Node 20+). Same shape per file: threat, insecure example, why it fails, secure example, notes, references.
Methodology comparison (STRIDE / PASTA / attack trees / LINDDUN), when-to-use-what matrix, four templates (STRIDE-per-element, PASTA seven-stage prompts, attack-tree notation, DFD conventions), and four sanitized worked examples: REST API with OAuth2, mobile E2E messaging client, SSO/OIDC broker, CI/CD pipeline.
Security requirements template with ~20 example SR-* entries across authn / authz / session / crypto / input / output / logging / secrets / deps / tls / errors; code review checklist by category; stage-by-stage Definition of Done; gate matrix mapping each pipeline stage to mandatory checks and blocking severity; a CERT/CC- and ISO 29147-aligned VDP template; security champions program; third-party software intake tiered by data sensitivity.
Eight GitHub Actions workflows (Semgrep SAST, Trivy SCA, Gitleaks, Checkov IaC, Trivy image, Syft SBOM, cosign sign + attest, ZAP baseline) and three GitLab CI fragments. Each starts with a comment header documenting purpose, required permissions, and required secrets. Action versions pinned against the marketplace.
hardcoded-jwt-secret (multilang), python-unsafe-yaml-load, python-eval-exec, go-sql-string-concat, js-disabled-tls-verification. Each rule declares CWE / OWASP mapping in metadata; matching .test.yaml documents positive and negative cases.
Pod Security Admission profiles and rollout, default-deny NetworkPolicy with a DNS-egress allow companion, three OPA Gatekeeper ConstraintTemplate / Constraint pairs, and five Falco starter rules tied to MITRE ATT&CK techniques.
SBOM generation (CycloneDX / SPDX via Syft and language-native generators; storage and continuous CVE matching; VEX). Dependency pinning per ecosystem with Renovate config example. SLSA v1.0 Build track levels 1-3 with concrete GitHub Actions / Sigstore / SLSA generator examples and a Kyverno admission policy.
ASVS 5.0 verification checklist, SAMM v2 self-assessment grid, OWASP Top 10 (2025), API Top 10 (2023), LLM Top 10 (2025), CI/CD Top 10, NIST SSDF v1.1 task-by-task mapping, CWE Top 25 (2025) with primary + secondary defence, and a cross-framework mapping matrix.
Zero trust (NIST SP 800-207), API gateway responsibilities, OAuth2 / OIDC flows with sequence diagrams (Authorization Code + PKCE, Client Credentials, Device Code), SAML SP-init and IdP-init with signature-wrapping defences, mTLS + SPIFFE/SPIRE, crypto cheatsheet with recommended parameters per scenario, secrets management tiered by blast radius, multi-tenancy isolation spectrum. Deprecated implicit and ROPC flows mentioned only as warnings.
Per-category evaluation criteria for SAST / SCA / DAST / MAST / ASPM, a catalogue of public deliberately-vulnerable benchmark projects, and a proof-of-concept report template.
Shared template plus four sanitized class-of-bug writeups: JWT key confusion (RS256 -> HS256) with CVE-2015-9235 and CVE-2016-10555; SSRF against cloud metadata (IMDSv1) with AWS / GCP / Azure mitigations; prototype pollution via merge with CVE-2018-3721 / CVE-2019-10744 / CVE-2020-8203; polymorphic deserialization in Jackson with CVE-2017-7525. CVSS scores and vectors verified against NVD at write time.
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Markdownlint on all .md via the cli2 action. Yamllint on devsecops/ and .github/ with a relaxed config for educational snippets. Actionlint checks both the handbook's own workflows and the templates under devsecops/ci-templates/ (advisory). Semgrep validates and tests the custom rules. Dependabot tracks github-actions and pip. Lychee link checker runs offline on PRs (blocking) and weekly with network access (files an issue on rot).
mkdocs.yml configured for docs_dir = repo root via the same-dir plugin, plus awesome-pages for nav and section-index so README.md files act as section indexes. Theme: material, slate+default with amber accent. Standard pymdownx extensions for admonitions, tabbed blocks, and mermaid fences. Pages workflow builds with mkdocs and deploys via deploy-pages. Strict mode is off until the existing [secure-coding/](secure-coding/) style links resolve cleanly under section-index. Pages source must be switched to "GitHub Actions" in repository settings for the first deploy to take effect.
SECURITY.md states scope (the materials themselves -- docs, Semgrep rules, CI templates, K8s policies -- not a runtime), disclosure email, and a 7/30-day ack/triage SLA. CODEOWNERS routes review to @maverick-hackz, with explicit entries for security-sensitive paths. PR template asks the four CONTRIBUTING.md questions. Issue templates: defect, content request, and link-rot (auto-filed by the weekly link checker).
Updates the requirements on [mkdocs-material](https://github.com/squidfunk/mkdocs-material) to permit the latest version. - [Release notes](https://github.com/squidfunk/mkdocs-material/releases) - [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG) - [Commits](squidfunk/mkdocs-material@9.5.0...9.7.6) --- updated-dependencies: - dependency-name: mkdocs-material dependency-version: 9.7.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/pip/mkdocs-material-gte-9.7.6-and-lt-10
branch
from
5abd9eb to
1533dca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the requirements on mkdocs-material to permit the latest version.
Release notes
Sourced from mkdocs-material's releases.
Changelog
Sourced from mkdocs-material's changelog.
... (truncated)
Commits
6c52ed6Prepare 9.7.6 release51d9b76Automatically disable MkDocs 2.0 warning for forks of MkDocs6f9a48bUpdated links00b9933Prepare 9.7.5 release37683d1Updated blog post on MkDocs 2.0199e315Updated warning message to clarify relation to MkDocs1025833Limited version range of mkdocs to <21532f52Added update log to blog postd0c8b28Updated dependencies to fix vulnerabilities71d4869Updated blog post on MkDocs 2.0