{"id":49348948,"url":"https://github.com/nischal94/repo-template","last_synced_at":"2026-04-27T09:03:31.469Z","repository":{"id":352393959,"uuid":"1214981721","full_name":"nischal94/repo-template","owner":"nischal94","description":"Template for new repos: Tier A security workflows (gitleaks, PR-title lint, dependabot, harden-runner) + community files. Click 'Use this template' to start a new repo with these defaults.","archived":false,"fork":false,"pushed_at":"2026-04-19T11:55:08.000Z","size":8,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-19T12:22:13.621Z","etag":null,"topics":["ci","security","template"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nischal94.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-19T10:14:09.000Z","updated_at":"2026-04-19T10:16:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nischal94/repo-template","commit_stats":null,"previous_names":["nischal94/repo-template"],"tags_count":null,"template":true,"template_full_name":null,"purl":"pkg:github/nischal94/repo-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nischal94%2Frepo-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nischal94%2Frepo-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nischal94%2Frepo-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nischal94%2Frepo-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nischal94","download_url":"https://codeload.github.com/nischal94/repo-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nischal94%2Frepo-template/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32329467,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","security","template"],"created_at":"2026-04-27T09:03:30.362Z","updated_at":"2026-04-27T09:03:31.455Z","avatar_url":"https://github.com/nischal94.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# repo-template\n\nPersonal template for new repositories. Click **Use this template** → **Create a new repository** to start a project with these defaults baked in.\n\nFor the master operational reference (post-creation checklist, promotion paths, runbooks, conditional Tier 5 items), see **[`docs/SECURITY-OPERATIONS.md`](docs/SECURITY-OPERATIONS.md)**.\n\n---\n\n## What's included\n\n### Workflows (`.github/workflows/`)\n\n| Workflow | Trigger | Purpose | Mode |\n|---|---|---|---|\n| `gitleaks.yml` | every PR + push to main | PR-time secret scan; catches custom patterns GitHub-native scanning misses | blocking |\n| `pr-title.yml` | every PR | Enforces Conventional Commits; prerequisite for clean changelogs / release-please | blocking |\n| `actionlint.yml` | when `.github/workflows/` changes | Workflow YAML correctness — typos, bad expressions, shell-injection patterns | advisory on first run, promote to blocking after baseline cleanup |\n| `dependency-review.yml` | when manifests change | Pre-merge gate on vulnerable / restrictive-license deps | blocking on `high` severity |\n| `osv-scanner.yml` | when manifests change + weekly | Cross-ecosystem vuln scan against OSV database; complements Dependabot | blocking |\n| `scorecard.yml` | weekly + push to main | OpenSSF Scorecard supply-chain audit (18+ checks); SARIF + public badge | informational |\n| `claude.yml` | `@claude` mention in PRs/issues | AI code review on demand; requires `ANTHROPIC_API_KEY` secret | on-demand |\n\nAll workflows ship with **`step-security/harden-runner`** in audit mode for egress logging.\n\n### Community files\n\n- `SECURITY.md` — vulnerability disclosure policy (points to GitHub Private Vulnerability Reporting).\n- `CONTRIBUTING.md` — branch naming, PR expectations, security-reporting pointer.\n- `.github/CODEOWNERS` — auto-routes review requests.\n- `.github/PULL_REQUEST_TEMPLATE.md` — keeps PR descriptions consistent.\n- `.github/ISSUE_TEMPLATE/` — bug + feature templates.\n- `.github/dependabot.yml` — `github-actions` ecosystem enabled with grouping; pip/npm/docker blocks pre-configured (commented) with grouping built in.\n- `.editorconfig` — cross-editor indentation/EOL consistency.\n- `LICENSE` — MIT.\n\n---\n\n## Post-creation checklist (TL;DR)\n\nThe full version with rationale lives in [`docs/SECURITY-OPERATIONS.md §2`](docs/SECURITY-OPERATIONS.md#2-post-creation-checklist-per-repo). The condensed version:\n\n1. **Settings → Code security**: enable private vulnerability reporting, Dependabot alerts + security updates, secret scanning, push protection, CodeQL default setup.\n2. **Settings → Branches**: add protection on `main` requiring `gitleaks` + `Validate PR title` + project CI checks, 1 approval, conversation resolution, no force-push.\n3. **Settings → Tags**: add rule for pattern `v*` (prevents release-tag tampering).\n4. **Settings → Actions**: require approval for first-time contributors.\n5. Edit `.github/dependabot.yml` to uncomment the `pip` / `npm` / `docker` ecosystem block matching your stack (grouping is pre-configured).\n6. (If using Claude review) `gh secret set ANTHROPIC_API_KEY -R \u003cowner\u003e/\u003crepo\u003e`.\n7. (Optional) Add Scorecard badge to README after first weekly run completes.\n\n---\n\n## Tiered hardening additions\n\n| Tier | Items | When to add |\n|---|---|---|\n| **Tier A** (this template) | gitleaks, pr-title, actionlint, dep-review, OSV-Scanner, Scorecard, harden-runner audit, Dependabot grouping | Default for every new repo |\n| **Tier B** | bandit (Python SAST), pip-audit, trivy (image+fs), eslint-plugin-security, npm audit, Codecov, image-CVE Trivy | Repos with real users or shipped artifacts |\n| **Tier C** | cosign signing, SBOM, SLSA provenance, release-please | Repos publishing consumed artifacts (npm/pypi/docker hub/etc) |\n| **Tier D — Hardening polish** | SHA-pin via pinact, harden-runner block-mode allow-list, required signed commits, zizmor one-time audit | Add as the repo matures or after a security incident |\n\nFull descriptions and configuration examples in [`docs/SECURITY-OPERATIONS.md §7-§8`](docs/SECURITY-OPERATIONS.md#7-tier-4-hardening-additions).\n\n---\n\n## AI code review\n\nTwo complementary options:\n\n- **`claude.yml`** (in this template) — Claude Code Action, triggered by `@claude` mentions. Per-repo workflow, needs `ANTHROPIC_API_KEY`.\n- **CodeRabbit / Greptile** (GitHub Apps, install once at account level) — auto-comments on every PR, no per-repo config. Install via:\n  - `https://github.com/apps/coderabbitai`\n  - `https://github.com/apps/greptileai`\n\nThe two layers are complementary: Claude responds to specific asks; CodeRabbit/Greptile provide passive review on every PR.\n\n---\n\n## Notes\n\n- Third-party actions are pinned to **major version tags** (`@v6`) for readability. Dependabot keeps tags current. For SHA-pinning, see Tier D in `docs/SECURITY-OPERATIONS.md`.\n- The Dependabot config uses **grouping** (`groups:`) to collapse update bursts — instead of N separate weekly PRs, you get 1-3 grouped weekly PRs per ecosystem.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnischal94%2Frepo-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnischal94%2Frepo-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnischal94%2Frepo-template/lists"}