diff --git a/.github/ISSUE_TEMPLATE/security-batch.yml b/.github/ISSUE_TEMPLATE/security-batch.yml new file mode 100644 index 00000000000..11864961966 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/security-batch.yml @@ -0,0 +1,91 @@ +name: Security Batch +description: Recurring sprint issue for security dashboard triage, CIS benchmark checks, and CI readiness. +title: "Security Batch: YYYY-MM-DD" +labels: + - "type:security" + - "area:security" + - "lane:security" +assignees: [] +body: + - type: markdown + attributes: + value: | + ## Security Batch Sprint + Use this template to run the recurring security batch. Reference: + - Runbook: docs/security/SECURITY_BATCH.md + - CIS checks: docs/security/SECURITY_CIS.md + - Readiness authority: docs/SUMMIT_READINESS_ASSERTION.md + - type: input + id: sprint-window + attributes: + label: Sprint window + description: Planned dates for this security batch. + placeholder: "2026-02-10 → 2026-02-24" + validations: + required: true + - type: input + id: owner + attributes: + label: Owner + description: Primary accountable owner for this batch. + placeholder: "@security-lead" + validations: + required: true + - type: input + id: dashboard-review + attributes: + label: Security dashboard review + description: Link to GitHub security/code view review and timestamp. + placeholder: "https://github.com///security/code (reviewed YYYY-MM-DD)" + validations: + required: true + - type: input + id: cis-run + attributes: + label: CIS benchmark run evidence + description: Link to evidence artifact or report (must be ≤ 7 days old). + placeholder: "artifacts/security/cis-report-YYYY-MM-DD.md" + validations: + required: true + - type: textarea + id: acceptance-criteria + attributes: + label: Acceptance criteria + value: | + - [ ] No open **high/critical** alerts in GitHub `security/code` view. + - [ ] CIS benchmark run completed in the last 7 days and archived. + - [ ] CI green on `.github/workflows/ci.yml` for touched components. + - [ ] Security batch findings logged as follow-on issues. + validations: + required: true + - type: textarea + id: execution-log + attributes: + label: Execution log + description: Capture commands, evidence links, and notes. + placeholder: | + - Command: ./scripts/security-hardening-suite.sh (CIS validation) + - Evidence: + - Notes: ... + validations: + required: true + - type: textarea + id: governed-exceptions + attributes: + label: Governed Exceptions + description: List approved exceptions with links to approval records (if any). + placeholder: | + - Exception ID: EX-YYYY-### + Approval: + Scope: + validations: + required: true + - type: checkboxes + id: verification + attributes: + label: Verification + options: + - label: CI workflow results reviewed (ci.yml) + - label: CIS benchmark evidence attached + - label: Security dashboard alerts triaged + - label: Follow-on issues created and labeled lane:security diff --git a/.github/labels.json b/.github/labels.json index b66987a4664..aa90b77069e 100644 --- a/.github/labels.json +++ b/.github/labels.json @@ -94,6 +94,21 @@ "color": "e11d21", "description": "Security/compliance" }, + { + "name": "lane:security", + "color": "0b7285", + "description": "Security program lane" + }, + { + "name": "lane:bizdev", + "color": "6f42c1", + "description": "Business development lane" + }, + { + "name": "lane:infra", + "color": "1d76db", + "description": "Infrastructure lane" + }, { "name": "area:release", "color": "f9d0c4", diff --git a/.github/labels.yml b/.github/labels.yml index 6aef8a3d9e0..dee11b79685 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -55,6 +55,15 @@ - name: "area:security" color: "e11d21" description: "Security and compliance" +- name: "lane:security" + color: "0b7285" + description: "Security program lane" +- name: "lane:bizdev" + color: "6f42c1" + description: "Business development lane" +- name: "lane:infra" + color: "1d76db" + description: "Infrastructure lane" - name: "area:release" color: "f9d0c4" description: "Release management and gating" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dde4d214418..a521db50c65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,8 @@ on: branches: [ main ] paths-ignore: - "**/*.md" + schedule: + - cron: "0 3 * * *" concurrency: group: ci-${{ github.ref }} @@ -24,8 +26,6 @@ jobs: timeout-minutes: 5 steps: - uses: actions/checkout@v4 - - name: Setup pnpm - uses: pnpm/action-setup@v4 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Validate Jest & pnpm Configuration @@ -72,11 +72,6 @@ jobs: needs: [typecheck] steps: - uses: actions/checkout@v4 - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: .nvmrc - cache: "pnpm" - name: Setup Node uses: actions/setup-node@v4 with: @@ -103,6 +98,25 @@ jobs: name: coverage-report path: server/coverage/ + smoke-fast: + name: Smoke (Fast) + runs-on: ubuntu-latest + timeout-minutes: 10 + needs: [typecheck] + steps: + - uses: actions/checkout@v4 + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version-file: .nvmrc + cache: "pnpm" + - name: Setup pnpm + uses: pnpm/action-setup@v4 + - name: Install dependencies + run: pnpm install --frozen-lockfile + - name: Smoke (GA) + run: pnpm ga:smoke + integration-test: runs-on: ubuntu-latest timeout-minutes: 5 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a99761366f1..975dbf16193 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -40,6 +40,18 @@ For ready-to-use templates that keep issues and PRs crisp, copy the relevant pla - `fix/graph/node-expansion-crash` - `docs/api/update-schema` +#### Lane Labels & Definitions of Done + +We use lane labels to keep workstreams explicit and to enforce lane-specific definitions of done. + +- **`lane:security`**: Security batch sprints, dashboard triage, CIS benchmark checks, and + remediation planning. + - **Done**: Security dashboard reviewed, CIS run ≤ 7 days old, follow-on issues filed, CI green. +- **`lane:bizdev`**: Business development commitments, partner enablement, and GTM collateral. + - **Done**: Stakeholder signoff and artifacts delivered (proposal, deck, or contract). +- **`lane:infra`**: Infrastructure readiness, environments, and deployment automation. + - **Done**: Change validated in target environment with rollback evidence. + ### 2. Making Changes - **Atomic PRs**: One feature or fix per PR. Avoid "kitchen sink" PRs. diff --git a/docs/roadmap/STATUS.json b/docs/roadmap/STATUS.json index 281d973af71..ed84b9cd5b1 100644 --- a/docs/roadmap/STATUS.json +++ b/docs/roadmap/STATUS.json @@ -1,6 +1,6 @@ { - "last_updated": "2026-02-07T00:00:00Z", - "revision_note": "Added Summit PR Stack Sequencer skill scaffolding.", + "last_updated": "2026-02-08T02:37:52Z", + "revision_note": "Refined security batch governance references and governed exception capture.", "initiatives": [ { "id": "adenhq-hive-subsumption-lane1", diff --git a/docs/security/SECURITY_BATCH.md b/docs/security/SECURITY_BATCH.md new file mode 100644 index 00000000000..4df60e69d3b --- /dev/null +++ b/docs/security/SECURITY_BATCH.md @@ -0,0 +1,36 @@ +# Security Batch Runbook + +**Purpose:** Standardize recurring security batch sprints for dashboard triage, CIS benchmark +validation, and remediation intake. + +## References + +- Primary playbook: [SECURITY_BATCH_1_PLAYBOOK.md](SECURITY_BATCH_1_PLAYBOOK.md) +- CIS benchmark guidance: [SECURITY_CIS.md](SECURITY_CIS.md) +- Security pipeline controls: [security-pipeline.md](security-pipeline.md) +- Readiness authority: [SUMMIT_READINESS_ASSERTION.md](../SUMMIT_READINESS_ASSERTION.md) + +## Execution Steps + +1. **Open the Security Batch issue** using the `Security Batch` issue template. +2. **Review GitHub Security Dashboard** (`/security/code`): + - Triage all high/critical alerts. + - Link each alert to a follow-on issue labeled `lane:security`. +3. **Run CIS benchmark validation** using the CIS runbook and capture evidence artifacts. +4. **Verify CI health** for `.github/workflows/ci.yml` on touched components. +5. **Record outcomes** in the batch issue: + - Evidence links + - Exceptions (if any) as **Governed Exceptions** with links to approval records + - Follow-on issue links + +## Acceptance Criteria + +- No open high/critical alerts in GitHub `security/code` view. +- Latest CIS benchmark run ≤ 7 days old and archived. +- CI green for `ci.yml` on touched components. +- Follow-on issues created and labeled `lane:security`. + +## Escalation + +Escalate unresolved high/critical alerts to Security Leadership and Release Captain per +[SECURITY_OPERATIONS.md](SECURITY_OPERATIONS.md). diff --git a/docs/security/SECURITY_CIS.md b/docs/security/SECURITY_CIS.md new file mode 100644 index 00000000000..3e67279d358 --- /dev/null +++ b/docs/security/SECURITY_CIS.md @@ -0,0 +1,37 @@ +# CIS Benchmark Validation Runbook + +**Purpose:** Provide a repeatable, auditable CIS benchmark validation procedure for Summit. + +## Preconditions + +- Access to the target Kubernetes cluster context. +- `kubectl`, `trivy`, and `cosign` installed in the execution environment. +- Read access to `scripts/security-hardening-suite.sh`. + +## Primary Run + +Use the security hardening suite to perform baseline CIS validation and related checks: + +```bash +./scripts/security-hardening-suite.sh +``` + +This suite performs the following CIS-aligned checks: + +- Pod Security Standards enforcement. +- Network policy coverage inspection. +- Privileged container detection. +- Image signature validation via `cosign`. +- RBAC permission validation. +- Vulnerability scan via `trivy`. + +## Evidence Capture + +- Save the generated `security-hardening-report-.md` to the security evidence store. +- Attach the report link in the Security Batch issue template under **CIS benchmark run evidence**. + +## Validation Cadence + +- **Requirement:** Latest CIS benchmark run must be ≤ 7 days old. +- **Failure Handling:** Record deviations as **Governed Exceptions** with approval links and open a + follow-on issue labeled `lane:security`.