Supply Chain
Dependency and lockfile scanning on every pull request
Dependabotnpm auditGitHub Security Alerts
- Cadence
- Per commit + weekly review
- Evidence
- No critical dependency advisories in active branch
DevSecOps
Security Controls And Evidence
Security posture is treated as delivery infrastructure: automated checks, policy guardrails, and verifiable evidence in each release cycle.
Control Layer
Control Baseline
Controls are mapped to tooling, cadence, and implementation status.
Implemented
Secrets
Secret scanning and environment segregation by stage
GitHub Secret Scanning.env templatesScoped tokens
- Cadence
- Continuous + rotation every 90 days
- Evidence
- No plaintext secrets in repository history
Identity and Access
Least privilege for CI tokens and deployment credentials
OIDCRole-based accessProtected environments
- Cadence
- Quarterly access review
- Evidence
- Deployment rights limited to release maintainers
Runtime Hardening
Security headers and input validation guardrails
Next.js headersZod schemasHTTP-only cookies
- Cadence
- Per release
- Evidence
- Security baseline checks included in release checklist