Security Dashboard
A single status surface for the StreetJS security posture. Live badges below reflect the latest CI / scanner state; the table links each control to its canonical evidence.
This page is a status surface, not a policy document. The authoritative public security page is the Trust Center; scoring methodology lives in audits/SCORING-METHODOLOGY.md and the OpenSSF review in audits/OPENSSF-REVIEW.md.
Live badges
The badges above are rendered live by their providers — they always show the current state, not a snapshot baked into this page.
Control posture
Each row links to the workflow that enforces the control and the canonical document that describes it. “Live status” items can only be confirmed from the GitHub Security tab or the provider badge above — they are marked UNVERIFIED here because a static page cannot assert a runtime value without fabricating it.
| Control | Enforced by | Evidence / canonical doc | Live status |
|---|---|---|---|
| Static analysis (SAST) | codeql.yml |
Code scanning alerts | Badge above |
| Secret scanning + push protection | GitHub setting + secret-scan.yml, .gitleaks.toml |
Secret scanning alerts · SECRET-SCANNING-GUIDE.md | UNVERIFIED (operator setting) |
| Private-key block (pre-merge) | block-private-keys.yml, secrets-guard in ci-cd.yml |
KEY-ROTATION-RUNBOOK.md | CI-enforced |
| Plugin signature + anchor verification | verify-signatures.yml (npm run verify:signatures) + verify-signing-anchor |
PLUGIN-SECURITY-STANDARD.md | 21/21 manifests verify |
| Supply-chain provenance (npm) | publish gate in ci-cd.yml (--provenance + attestation check) |
SLSA-ASSESSMENT.md | Per-release |
| Signed GitHub releases (cosign keyless) | release job in ci-cd.yml |
NPM-PUBLISH-SECURITY-REVIEW.md | Per-release |
| Dependency review / Dependabot | dependency-review.yml, dependabot.yml |
Dependabot alerts | UNVERIFIED (live count) |
| OpenSSF Scorecard | scorecard.yml |
audits/OPENSSF-REVIEW.md | Badge above (live score) |
| DAST | dast.yml |
docs/dast.md | Scheduled |
| Branch protection / required reviews | repository-settings.json (settings-as-code) |
BRANCH-PROTECTION-REVIEW.md | UNVERIFIED (operator setting) |
Reporting a vulnerability
See SECURITY.md
for the coordinated-disclosure process and contact. Do not open a public
issue for a suspected vulnerability.
How to read this dashboard
- Badge above — the provider renders the current state in real time.
- CI-enforced / Per-release / Scheduled — the control runs automatically in the linked workflow; consult the run history for the latest result.
- UNVERIFIED (operator setting / live count) — the value depends on a GitHub platform setting or a live alert count that a static page must not assert. Follow the linked Security-tab URL for the authoritative current value.