Skip to content

Implement Security changes#2

Merged
naveedious merged 2 commits into
mainfrom
develop
Jun 3, 2026
Merged

Implement Security changes#2
naveedious merged 2 commits into
mainfrom
develop

Conversation

@naveedious

@naveedious naveedious commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Summary

Security hardening from a review of the build and supply chain. No app logic
changes. Reproducible builds, pinned CI, and secret scanning, plus a fix to the
stale compose file.

What changed

Reproducible dependency builds

  • Commit package-lock.json (was gitignored) and remove it from .gitignore.
  • Dockerfile now runs npm ci instead of npm install, so builds install the
    exact pinned tree and fail if the lockfile and package.json drift.

Pin GitHub Actions to commit SHAs

  • actions/checkout, docker/login-action, docker/build-push-action,
    aquasecurity/trivy-action, and actions/delete-package-versions are pinned
    to full commit SHAs with the version kept as a trailing comment.
  • A mutable tag can be repointed if a maintainer account is compromised, which
    would run attacker code in a job that holds packages: write and the
    GITHUB_TOKEN. Pinning removes that path.

Secret scanning (gitleaks)

  • Add .gitleaks.toml: extends the default ruleset and adds rules for media
    API keys (Tautulli, Sonarr, Jellyfin), SECRET_KEY, and OIDC client secrets.
    The allowlist covers .env.example, package-lock.json integrity hashes,
    documented placeholders, and ${VAR} compose interpolation.
  • Add .github/workflows/gitleaks.yml: scans on push and pull request with full
    history, and fails the build on a leak. Pinned to a commit SHA.
  • README gets a short Security section documenting the local and CI scan.

docker-compose cleanup

  • Drop WEB_USERNAME and WEB_PASSWORD, which the app no longer reads.
  • Add the required SECRET_KEY. Without it the container exits on startup, so
    the committed compose file would not have run as written.

Testing

  • npm ci --omit=dev resolves cleanly against the new lockfile (0 advisories).
  • Ran gitleaks 8.21.2 against this branch:
    • working tree: no leaks
    • full git history: no leaks
    • control test with planted fake keys: all three rules fired and failed as
      expected
  • Action SHAs were resolved from the upstream tags with git ls-remote.

Not included

The webhook endpoint is still open by default (no secret required when
webhook_secret is blank). That is a deliberate design choice for the LAN
deployment and is left for a separate discussion.

naveedious added 2 commits June 3, 2026 19:15
@naveedious
chore(security): pin CI actions to SHAs, commit lockfile + npm ci, fi…
9e1c1c3 
…x compose env

- add package-lock.json, stop ignoring it, switch Dockerfile to npm ci for reproducible builds
- SHA-pin all GitHub Actions (checkout, login, build-push, trivy, delete-package-versions)
- docker-compose: drop unused WEB_USERNAME/WEB_PASSWORD, add required SECRET_KEY
@naveedious
ci(security): add gitleaks secret scanning
05f5815 
- .gitleaks.toml: extend defaults + rules for media API keys, SECRET_KEY, OIDC client_secret
- allowlist placeholders, lockfile hashes, compose ${VAR}; stopword for frontend JS FP
- .github/workflows/gitleaks.yml: SHA-pinned scan on push + PR, full history
- README: document local + CI secret scanning
@naveedious naveedious merged commit fbbbb89 into main Jun 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@naveedious