This repository provides a centralized model for security, dependency analysis, and supply-chain protection across all GitHub repositories.All enforcement is delivered through organization Rulesets and centralized workflows.No consuming repository needs workflow files or configuration.
This framework ensures consistent security across the organization by providing:
-
automated dependency and supply-chain checks
-
controlled and protected CI/CD pipelines
-
standardized PR review and approval flow
-
zero maintenance effort for individual repositories
-
Runs dependency review, scorecard, and Node compliance (when needed).
-
Posts a single consolidated PR comment.
-
Uploads JSON/SARIF/HTML artifacts for deeper inspection.
-
Detects project type automatically and avoids unnecessary checks.
Reusable workflows consumed by all repos via Rulesets:
-
dependency review
-
scorecard
-
node dependency compliance
-
build-files review
These live centrally and are not duplicated in individual repositories.
-
Triggers only when CI/CD or build-infrastructure files change.
-
Adds a separate PR note explaining the risk and what reviewers should check.
-
Enforcement (approval requirements, protected paths) is managed by Rulesets.
Rulesets apply governance consistently across the organization.They enforce:
-
required PR reviews
-
CODEOWNERS approval for protected build paths
-
required workflows (security summary, build-files review)
-
protection of CI/CD and infrastructure files
Rulesets ensure that no security checks or critical file changes can be bypassed.
-
Developer opens a PR
-
Organization Ruleset triggers required workflows and enforces review rules
-
Security Summary workflow runs all relevant checks
-
Build-Files Review workflow runs if infrastructure files changed
-
Ruleset verifies reviews + required workflow results
-
PR becomes mergeable
No workflow files or configuration are needed in consuming repositories.
-
zero setup
-
one clear security summary
-
minimal PR noise
-
centralized enforcement
-
consistent evaluation
-
artifact-based deep inspection
-
unified supply-chain posture
-
protected CI/CD pipelines
-
scalable and maintainable governance model
The entire framework operates through:
-
organization Rulesets
-
organization required workflows
No repository-level workflows, scripts, or onboarding steps are required.
This framework standardizes security checks, protects CI/CD infrastructure, and reduces workflow noise while maintaining strict governance.It scales across all teams and aligns with modern DevSecOps practices.