Security

Security Dashboard

A single status surface for the StreetJS security posture. Live badges below reflect the latest CI / scanner state; the table links each control to its canonical evidence.

This page is a status surface, not a policy document. The authoritative public security page is the Trust Center; scoring methodology lives in audits/SCORING-METHODOLOGY.md and the OpenSSF review in audits/OPENSSF-REVIEW.md.


Live badges

CI CodeQL OpenSSF Scorecard npm provenance

The badges above are rendered live by their providers — they always show the current state, not a snapshot baked into this page.


Control posture

Each row links to the workflow that enforces the control and the canonical document that describes it. “Live status” items can only be confirmed from the GitHub Security tab or the provider badge above — they are marked UNVERIFIED here because a static page cannot assert a runtime value without fabricating it.

Control Enforced by Evidence / canonical doc Live status
Static analysis (SAST) codeql.yml Code scanning alerts Badge above
Secret scanning + push protection GitHub setting + secret-scan.yml, .gitleaks.toml Secret scanning alerts · SECRET-SCANNING-GUIDE.md UNVERIFIED (operator setting)
Private-key block (pre-merge) block-private-keys.yml, secrets-guard in ci-cd.yml KEY-ROTATION-RUNBOOK.md CI-enforced
Plugin signature + anchor verification verify-signatures.yml (npm run verify:signatures) + verify-signing-anchor PLUGIN-SECURITY-STANDARD.md 21/21 manifests verify
Supply-chain provenance (npm) publish gate in ci-cd.yml (--provenance + attestation check) SLSA-ASSESSMENT.md Per-release
Signed GitHub releases (cosign keyless) release job in ci-cd.yml NPM-PUBLISH-SECURITY-REVIEW.md Per-release
Dependency review / Dependabot dependency-review.yml, dependabot.yml Dependabot alerts UNVERIFIED (live count)
OpenSSF Scorecard scorecard.yml audits/OPENSSF-REVIEW.md Badge above (live score)
DAST dast.yml docs/dast.md Scheduled
Branch protection / required reviews repository-settings.json (settings-as-code) BRANCH-PROTECTION-REVIEW.md UNVERIFIED (operator setting)

Reporting a vulnerability

See SECURITY.md for the coordinated-disclosure process and contact. Do not open a public issue for a suspected vulnerability.


How to read this dashboard

  • Badge above — the provider renders the current state in real time.
  • CI-enforced / Per-release / Scheduled — the control runs automatically in the linked workflow; consult the run history for the latest result.
  • UNVERIFIED (operator setting / live count) — the value depends on a GitHub platform setting or a live alert count that a static page must not assert. Follow the linked Security-tab URL for the authoritative current value.