https://github.com/030/nononsec

No-nonsense security (NoNonSec). Ignored today, exploited tomorrow.
https://github.com/030/nononsec

package-inventory sbom security-reporting software-composition-analysis vulnerability-management

Last synced: 7 months ago
JSON representation

No-nonsense security (NoNonSec). Ignored today, exploited tomorrow.

• Host: GitHub
• URL: https://github.com/030/nononsec
• Owner: 030
• License: mit
• Created: 2025-07-06T09:48:06.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2025-07-06T14:21:54.000Z (8 months ago)
• Last Synced: 2025-07-06T14:34:59.280Z (8 months ago)
• Topics: package-inventory, sbom, security-reporting, software-composition-analysis, vulnerability-management
• Language: Go
• Size: 11.7 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# NoNonSec — No-nonsense Security

## Overview

**NoNonSec** delivers the hard truth:  

**No-nonsense Security** — no shortcuts, no excuses, no endless discussions.

Only run software you can fully trust.  

Trust is earned; it must never be assumed.

No endless debates about vague reasons like “it only runs internally” or

“other excuses.” Security applies everywhere, no exceptions.

## Shift-Left Security Is Essential

NoNonSec champions **shift-left security**, integrating checks early in the

development lifecycle:

- Understand every component in your dependencies before you execute them.

- Require full transparency and verification prior to deployment.

- Identify and resolve security issues when they’re cheapest and easiest to fix.

Shifting left reduces risk and strengthens your security posture.

## Earning Trust

Trust comes only through rigorous verification:

- **Software Bill of Materials (SBOM)**  

  A comprehensive inventory of every component and version in the package.

- **Security Scanning**  

  Automated or manual vulnerability assessments to uncover known flaws.

No SBOM or scan? No trust. No trust? No run.

## Core Principle: No SBOM + No Scan = No Run

If a package lacks both an SBOM and a vulnerability scan, **do not run it**.  

Executing unverified software is an unacceptable security risk.

## Shift-Right Security Complements Shift-Left

Shift-left is vital — but it’s only half the battle. Shift-right ensures

ongoing protection:

- Continuous monitoring of live systems.

- Rapid incident detection and response.

- Regular patching and mitigation workflows.

Security never stops — it’s a continuous, full-lifecycle commitment.

## Usage

For detailed instructions on applying NoNonSec principles, see the

[Usage Guide](docs/usage.md).

## Summary

NoNonSec’s mandate is straightforward:

1. No-nonsense security from day one — don’t wait for breaches.

2. Require SBOMs and vulnerability scans before running any software.

3. Embed shift-left practices early; maintain shift-right vigilance later.

4. Protect your environments with transparency, verification, and continuous

   checks.

5. No excuses, no vague reasons — security applies everywhere.

---

**NoNonSec — Because security is not optional and endless excuses will not keep one safe.**