[plan] Security improvements: SBOM, action pinning, and automated scanning #5537
Description
Overview
This tracking issue covers critical security improvements identified in the repository quality improvement report for security (Discussion #5535).
Source: Discussion #5535 - Repository Quality Improvement Report - Security
Security Status
The gh-aw repository has a strong security foundation (99.9% actions pinned, 557 validation patterns, 30 security test files), but has opportunities to enhance supply chain security monitoring, automated scanning, and DoS prevention.
Planned Tasks
This work is broken into 5 focused sub-issues:
- Pin remaining unpinned GitHub Actions - Eliminate the last 2 unpinned actions (High Priority)
- Add SBOM generation to CI/CD pipeline - Enable dependency visibility and vulnerability tracking (High Priority)
- Integrate security linters in CI/CD - Add gosec, govulncheck, and trivy for continuous scanning (High Priority)
- Enhance rate limiting infrastructure - Expand from 5 to 20+ rate limiting patterns (Medium Priority)
- Create security regression test suite - Add fuzzing and end-to-end security tests (Medium Priority)
Success Metrics
- ✅ 100% GitHub Actions pinned (currently 99.9%)
- ✅ SBOM generated on all releases
- ✅ Security linters running on all PRs
- ✅ Rate limiting coverage increased from 5 to 20+ patterns
- ✅ Security regression test suite integrated in CI/CD
Priority
Start with Tasks 1-2 (High Priority) this week, then proceed with Tasks 3-5.
AI generated by Plan Command for discussion #5535