Merge branch 'master' into main

Author: kalvinparker

.github/dependabot.yml

@@ -0,0 +1,29 @@
+# .github/dependabot.yml
+#
+# Formal configuration for Dependabot to automate supply chain security.
+
+version: 2
+updates:
+  # 1. Check for updates to the npm dependencies (e.g., @google/gemini-cli)
+  # This ensures our core tool is always patched and up-to-date.
+  - package-ecosystem: "npm"
+    directory: "/" # Location of package.json
+    schedule:
+      interval: "weekly"
+    # Assign reviewers or labels if needed
+    # reviewers:
+    #   - "kalvinparker"
+
+  # 2. Check for updates to the Docker base image (node:22-alpine)
+  # This is critical for patching OS-level vulnerabilities in our container.
+  - package-ecosystem: "docker"
+    directory: "/" # Location of Dockerfile
+    schedule:
+      interval: "weekly"
+
+  # 3. Check for updates to our GitHub Actions
+  # This mitigates the risk of vulnerabilities in our CI/CD pipeline itself.
+  - package-ecosystem: "github-actions"
+    directory: "/" # Location of workflow files
+    schedule:
+      interval: "weekly"

.github/workflows/build-and-scan.yml

@@ -0,0 +1,42 @@
+# .github/workflows/build-and-scan.yml
+
+name: Build and Scan Image
+
+# This workflow runs on every push to main and on every pull request
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read # Required to check out the code
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # STEP 1: Build the image and load it into the local runner daemon.
+      # The 'load: true' command is the critical fix.
+      - name: Build and load local image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true
+          # We give it a temporary, predictable tag for the next step.
+          tags: secure-gemini-cli:scan-target
+
+      # STEP 2: Scan the image that was just built and loaded.
+      # This step will now find the image 'secure-gemini-cli:scan-target'.
+      - name: Scan image with Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'secure-gemini-cli:scan-target'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

.github/workflows/pr-scan.yml

@@ -38,18 +38,6 @@ This project isn't just a `Dockerfile`; it's a complete, secure software lifecyc
 - Size: ~656.6 MB
 - Trivy scan report (full JSON): `trivy-report.json` (saved in the project root)
 
-Trivy findings (quick summary):
-
-- I parsed and searched the saved `trivy-report.json` in this repository for vulnerability records. No vulnerability objects were found in the report.
-
-Severity counts (from `trivy-report.json`):
-
-- CRITICAL: 0
-- HIGH: 0
-- MEDIUM: 0
-- LOW: 0
-- UNKNOWN: 0
-
 If you'd like a deeper supply-chain audit (for example, run `npm audit` locally and attempt auto-fixes, or re-run Trivy with a different policy), I can add step-by-step remediation guidance. Otherwise this image's saved scan contains no findings to triage.
 
 ## Build locally
@@ -94,10 +82,10 @@ docker run --rm aquasec/trivy:latest image secure-gemini-cli:latest
 
 ## Git / Commit
 
-If you'd like to commit the approved configuration locally, run these PowerShell steps (replace `<your-username>` when adding the remote):
+If you'd like to commit the approved configuration locally, run these PowerShell steps (replace `<folder-location>` and `<your-username>` when adding the remote):
 
 ```powershell
-cd "D:\My Documents\Docker Projects\secure-gemini"
+cd "<folder-location>"
 # create .gitignore if you haven't already
 @"
 node_modules/
@@ -123,7 +111,7 @@ git push -u origin main
 
 A GitHub Actions workflow (`.github/workflows/docker-build-scan.yml`) is included to build and scan the image with Trivy on push to `main`. This performs an automated check and can be adjusted to fail the build on specific severities.
 
-To publish the image from CI (GHCR / Docker Hub), add the appropriate secrets to your repository and enable the `docker-build-scan-publish.yml` workflow. Required secrets for Docker Hub: `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` (or use GHCR with `GITHUB_TOKEN`).
+To publish the image from CI (GHCR / Docker Hub), add the appropriate secrets to your repository and enable the `build-scan-publish.yml` workflow. Required secrets for Docker Hub: `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` (or use GHCR with `GITHUB_TOKEN`).
 
 ## Notes
 

.github/workflows/release.yml

@@ -0,0 +1,36 @@
+# Security Policy
+
+This document outlines the security policy for the `secure-gemini` project.
+
+## Supported Versions
+
+This project provides a configuration (`Dockerfile`) for building a secure container image. The security of the final image is dependent on the versions of the components at build time. I am committed to keeping the configuration in the `main` branch up-to-date with the latest secure practices.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| `master` branch | :white_check_mark: |
+| Releases (Tags) | :white_check_mark: |
+| Older commits | :x:                |
+
+**User Responsibility:** Users are responsible for pulling the latest changes from the `master` branch and rebuilding their images to ensure they have the most recent security patches and dependency versions. My CI/CD pipeline (`pr-scan.yml`) continuously validates the security of the `main` branch.
+
+## Reporting a Vulnerability
+
+I take all security vulnerabilities seriously. I believe in coordinated disclosure and appreciate the community's help in keeping our project secure.
+
+**How to Report a Vulnerability:**
+
+Please **DO NOT** report security vulnerabilities through public GitHub issues.
+
+Instead, please report them directly via one of the following methods:
+*   **Primary Method:** Use GitHub's private vulnerability reporting feature, available under the "Security" tab of this repository.
+
+**What to Expect:**
+
+When you report a vulnerability, I will make every effort to:
+1.  Acknowledge receipt of your report within 72 hours.
+2.  Provide an initial assessment of the vulnerability's validity and impact.
+3.  If the vulnerability is accepted, I will work on a fix and aim to release a patch.
+4.  Keep you informed of our progress. I will coordinate with you on the public disclosure of the vulnerability after a fix has been released.
+
+I am committed to a transparent and timely response. Thank you for helping to keep this project secure.