deps: bump actions/deploy-pages from 4 to 5#8
Open
dependabot[bot] wants to merge 23 commits into
Open
Conversation
Ten cross-cutting topics plus per-language sub-handbooks for Java (JDK 17+), Python (3.11+), Go (1.21+), and JavaScript/TypeScript (Node 20+). Same shape per file: threat, insecure example, why it fails, secure example, notes, references.
Methodology comparison (STRIDE / PASTA / attack trees / LINDDUN), when-to-use-what matrix, four templates (STRIDE-per-element, PASTA seven-stage prompts, attack-tree notation, DFD conventions), and four sanitized worked examples: REST API with OAuth2, mobile E2E messaging client, SSO/OIDC broker, CI/CD pipeline.
Security requirements template with ~20 example SR-* entries across authn / authz / session / crypto / input / output / logging / secrets / deps / tls / errors; code review checklist by category; stage-by-stage Definition of Done; gate matrix mapping each pipeline stage to mandatory checks and blocking severity; a CERT/CC- and ISO 29147-aligned VDP template; security champions program; third-party software intake tiered by data sensitivity.
Eight GitHub Actions workflows (Semgrep SAST, Trivy SCA, Gitleaks, Checkov IaC, Trivy image, Syft SBOM, cosign sign + attest, ZAP baseline) and three GitLab CI fragments. Each starts with a comment header documenting purpose, required permissions, and required secrets. Action versions pinned against the marketplace.
hardcoded-jwt-secret (multilang), python-unsafe-yaml-load, python-eval-exec, go-sql-string-concat, js-disabled-tls-verification. Each rule declares CWE / OWASP mapping in metadata; matching .test.yaml documents positive and negative cases.
Pod Security Admission profiles and rollout, default-deny NetworkPolicy with a DNS-egress allow companion, three OPA Gatekeeper ConstraintTemplate / Constraint pairs, and five Falco starter rules tied to MITRE ATT&CK techniques.
SBOM generation (CycloneDX / SPDX via Syft and language-native generators; storage and continuous CVE matching; VEX). Dependency pinning per ecosystem with Renovate config example. SLSA v1.0 Build track levels 1-3 with concrete GitHub Actions / Sigstore / SLSA generator examples and a Kyverno admission policy.
ASVS 5.0 verification checklist, SAMM v2 self-assessment grid, OWASP Top 10 (2025), API Top 10 (2023), LLM Top 10 (2025), CI/CD Top 10, NIST SSDF v1.1 task-by-task mapping, CWE Top 25 (2025) with primary + secondary defence, and a cross-framework mapping matrix.
Zero trust (NIST SP 800-207), API gateway responsibilities, OAuth2 / OIDC flows with sequence diagrams (Authorization Code + PKCE, Client Credentials, Device Code), SAML SP-init and IdP-init with signature-wrapping defences, mTLS + SPIFFE/SPIRE, crypto cheatsheet with recommended parameters per scenario, secrets management tiered by blast radius, multi-tenancy isolation spectrum. Deprecated implicit and ROPC flows mentioned only as warnings.
Per-category evaluation criteria for SAST / SCA / DAST / MAST / ASPM, a catalogue of public deliberately-vulnerable benchmark projects, and a proof-of-concept report template.
Shared template plus four sanitized class-of-bug writeups: JWT key confusion (RS256 -> HS256) with CVE-2015-9235 and CVE-2016-10555; SSRF against cloud metadata (IMDSv1) with AWS / GCP / Azure mitigations; prototype pollution via merge with CVE-2018-3721 / CVE-2019-10744 / CVE-2020-8203; polymorphic deserialization in Jackson with CVE-2017-7525. CVSS scores and vectors verified against NVD at write time.
Markdownlint on all .md via the cli2 action. Yamllint on devsecops/ and .github/ with a relaxed config for educational snippets. Actionlint checks both the handbook's own workflows and the templates under devsecops/ci-templates/ (advisory). Semgrep validates and tests the custom rules. Dependabot tracks github-actions and pip. Lychee link checker runs offline on PRs (blocking) and weekly with network access (files an issue on rot).
mkdocs.yml configured for docs_dir = repo root via the same-dir plugin, plus awesome-pages for nav and section-index so README.md files act as section indexes. Theme: material, slate+default with amber accent. Standard pymdownx extensions for admonitions, tabbed blocks, and mermaid fences. Pages workflow builds with mkdocs and deploys via deploy-pages. Strict mode is off until the existing [secure-coding/](secure-coding/) style links resolve cleanly under section-index. Pages source must be switched to "GitHub Actions" in repository settings for the first deploy to take effect.
SECURITY.md states scope (the materials themselves -- docs, Semgrep rules, CI templates, K8s policies -- not a runtime), disclosure email, and a 7/30-day ack/triage SLA. CODEOWNERS routes review to @maverick-hackz, with explicit entries for security-sensitive paths. PR template asks the four CONTRIBUTING.md questions. Issue templates: defect, content request, and link-rot (auto-filed by the weekly link checker).
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4 to 5. - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@v4...v5) --- updated-dependencies: - dependency-name: actions/deploy-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/deploy-pages from 4 to 5.
Release notes
Sourced from actions/deploy-pages's releases.
... (truncated)
Commits
cd2ce8fMerge pull request #404 from salmanmkc/node24bbe2a95Update Node.js version to 24.x854d7aaMerge pull request #374 from actions/Jcambass-patch-1306bb81Add workflow file for publishing releases to immutable action packageb742728Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...7273294Bump braces in the npm_and_yarn group across 1 directory963791fMerge pull request #361 from actions/dependabot-friendly51bb29dMake the rebuild dist workflow safer for Dependabot89f3d10Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...bce7355Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)