Goal
Add automated security scanning focused on the core libraries rather than only the sample applications.
Scope
Picea.AbiesPicea.Abies.ServerPicea.Abies.Server.KestrelPicea.Abies.Browser
Proposed work
- Add
CodeQL analysis for C# and JavaScript on PRs and main.
- Add
gitleaks secret scanning.
- Add dependency and filesystem vulnerability scanning with
Trivy or equivalent.
- Add package vulnerability checks for .NET dependencies.
- Define fail gates for high/critical findings.
Why
The main security goal is ensuring the framework itself does not ship obvious vulnerabilities or insecure defaults to consumers.
Acceptance criteria
- PR workflow runs static security checks for the core library projects.
- Main/nightly workflow runs a deeper scan.
- Findings are surfaced in GitHub Security or CI logs.
- Documented severity thresholds determine when the pipeline fails.
Goal
Add automated security scanning focused on the core libraries rather than only the sample applications.
Scope
Picea.AbiesPicea.Abies.ServerPicea.Abies.Server.KestrelPicea.Abies.BrowserProposed work
CodeQLanalysis for C# and JavaScript on PRs and main.gitleakssecret scanning.Trivyor equivalent.Why
The main security goal is ensuring the framework itself does not ship obvious vulnerabilities or insecure defaults to consumers.
Acceptance criteria