Skip to content

Enforce supply chain security for repository #29

Open
Open
Enforce supply chain security for repository#29
@emmanuelknafo

Description

@emmanuelknafo
emmanuelknafo
opened on Feb 5, 2026

Summary

Comprehensive supply chain security audit and enforcement for the repository.

Changes

  • Remove exposed Azure Storage key from appsettings.json files
  • Update vulnerable NuGet packages (Microsoft.Data.SqlClient, System.Text.Json, Newtonsoft.Json)
  • Enhance CODEOWNERS with security-sensitive path protection
  • Update SECURITY.md with project-specific vulnerability reporting process
  • Add SBOM attestation to build workflow (SLSA Level 2+)
  • Add container signing preparation to CI workflow

Security Findings Addressed

  • CRITICAL: Removed exposed Azure Storage key
  • HIGH: Updated 3 vulnerable dependencies (CVE-2024-0056, CVE-2024-0057, CVE-2024-21907)
  • HIGH: Enhanced governance controls
  • HIGH: Added build provenance attestation

Follow-up Required

  • Rotate Azure Storage key in Azure Portal
  • Configure branch protection rules
  • Verify attestations in next build

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions