https://github.com/nischal94/repo-template
Template for new repos: Tier A security workflows (gitleaks, PR-title lint, dependabot, harden-runner) + community files. Click 'Use this template' to start a new repo with these defaults.
https://github.com/nischal94/repo-template
ci security template
Last synced: 3 months ago
JSON representation
Template for new repos: Tier A security workflows (gitleaks, PR-title lint, dependabot, harden-runner) + community files. Click 'Use this template' to start a new repo with these defaults.
- Host: GitHub
- URL: https://github.com/nischal94/repo-template
- Owner: nischal94
- License: mit
- Created: 2026-04-19T10:14:09.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-19T11:55:08.000Z (3 months ago)
- Last Synced: 2026-04-19T12:22:13.621Z (3 months ago)
- Topics: ci, security, template
- Size: 7.81 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# repo-template
Personal template for new repositories. Click **Use this template** → **Create a new repository** to start a project with these defaults baked in.
For the master operational reference (post-creation checklist, promotion paths, runbooks, conditional Tier 5 items), see **[`docs/SECURITY-OPERATIONS.md`](docs/SECURITY-OPERATIONS.md)**.
---
## What's included
### Workflows (`.github/workflows/`)
| Workflow | Trigger | Purpose | Mode |
|---|---|---|---|
| `gitleaks.yml` | every PR + push to main | PR-time secret scan; catches custom patterns GitHub-native scanning misses | blocking |
| `pr-title.yml` | every PR | Enforces Conventional Commits; prerequisite for clean changelogs / release-please | blocking |
| `actionlint.yml` | when `.github/workflows/` changes | Workflow YAML correctness — typos, bad expressions, shell-injection patterns | advisory on first run, promote to blocking after baseline cleanup |
| `dependency-review.yml` | when manifests change | Pre-merge gate on vulnerable / restrictive-license deps | blocking on `high` severity |
| `osv-scanner.yml` | when manifests change + weekly | Cross-ecosystem vuln scan against OSV database; complements Dependabot | blocking |
| `scorecard.yml` | weekly + push to main | OpenSSF Scorecard supply-chain audit (18+ checks); SARIF + public badge | informational |
| `claude.yml` | `@claude` mention in PRs/issues | AI code review on demand; requires `ANTHROPIC_API_KEY` secret | on-demand |
All workflows ship with **`step-security/harden-runner`** in audit mode for egress logging.
### Community files
- `SECURITY.md` — vulnerability disclosure policy (points to GitHub Private Vulnerability Reporting).
- `CONTRIBUTING.md` — branch naming, PR expectations, security-reporting pointer.
- `.github/CODEOWNERS` — auto-routes review requests.
- `.github/PULL_REQUEST_TEMPLATE.md` — keeps PR descriptions consistent.
- `.github/ISSUE_TEMPLATE/` — bug + feature templates.
- `.github/dependabot.yml` — `github-actions` ecosystem enabled with grouping; pip/npm/docker blocks pre-configured (commented) with grouping built in.
- `.editorconfig` — cross-editor indentation/EOL consistency.
- `LICENSE` — MIT.
---
## Post-creation checklist (TL;DR)
The full version with rationale lives in [`docs/SECURITY-OPERATIONS.md §2`](docs/SECURITY-OPERATIONS.md#2-post-creation-checklist-per-repo). The condensed version:
1. **Settings → Code security**: enable private vulnerability reporting, Dependabot alerts + security updates, secret scanning, push protection, CodeQL default setup.
2. **Settings → Branches**: add protection on `main` requiring `gitleaks` + `Validate PR title` + project CI checks, 1 approval, conversation resolution, no force-push.
3. **Settings → Tags**: add rule for pattern `v*` (prevents release-tag tampering).
4. **Settings → Actions**: require approval for first-time contributors.
5. Edit `.github/dependabot.yml` to uncomment the `pip` / `npm` / `docker` ecosystem block matching your stack (grouping is pre-configured).
6. (If using Claude review) `gh secret set ANTHROPIC_API_KEY -R /`.
7. (Optional) Add Scorecard badge to README after first weekly run completes.
---
## Tiered hardening additions
| Tier | Items | When to add |
|---|---|---|
| **Tier A** (this template) | gitleaks, pr-title, actionlint, dep-review, OSV-Scanner, Scorecard, harden-runner audit, Dependabot grouping | Default for every new repo |
| **Tier B** | bandit (Python SAST), pip-audit, trivy (image+fs), eslint-plugin-security, npm audit, Codecov, image-CVE Trivy | Repos with real users or shipped artifacts |
| **Tier C** | cosign signing, SBOM, SLSA provenance, release-please | Repos publishing consumed artifacts (npm/pypi/docker hub/etc) |
| **Tier D — Hardening polish** | SHA-pin via pinact, harden-runner block-mode allow-list, required signed commits, zizmor one-time audit | Add as the repo matures or after a security incident |
Full descriptions and configuration examples in [`docs/SECURITY-OPERATIONS.md §7-§8`](docs/SECURITY-OPERATIONS.md#7-tier-4-hardening-additions).
---
## AI code review
Two complementary options:
- **`claude.yml`** (in this template) — Claude Code Action, triggered by `@claude` mentions. Per-repo workflow, needs `ANTHROPIC_API_KEY`.
- **CodeRabbit / Greptile** (GitHub Apps, install once at account level) — auto-comments on every PR, no per-repo config. Install via:
- `https://github.com/apps/coderabbitai`
- `https://github.com/apps/greptileai`
The two layers are complementary: Claude responds to specific asks; CodeRabbit/Greptile provide passive review on every PR.
---
## Notes
- Third-party actions are pinned to **major version tags** (`@v6`) for readability. Dependabot keeps tags current. For SHA-pinning, see Tier D in `docs/SECURITY-OPERATIONS.md`.
- The Dependabot config uses **grouping** (`groups:`) to collapse update bursts — instead of N separate weekly PRs, you get 1-3 grouped weekly PRs per ecosystem.