This repository scaffolds secure-by-design, EU-compliant Azure platform infrastructure. We take the security of both the tooling and the infrastructure patterns it produces seriously.
Please do not open public issues for security vulnerabilities.
Report privately using GitHub Security Advisories:
- Go to the Security tab.
- Click Report a vulnerability and provide:
- A description of the issue and its impact.
- Steps to reproduce or a proof of concept.
- Affected files, modules, or templates.
If you cannot use GitHub advisories, contact the maintainers directly through your internal Team Rockstars AI channel.
We aim to acknowledge reports within 3 business days and to provide a remediation plan or fix timeline within 10 business days.
In scope:
- The Python tooling (
scripts/,agent_config.py). - The Terraform and Bicep modules in
modules/andtemplates/. - The OpenCode agents, skills, and CI workflows.
- Insecure-by-default patterns produced by the scaffold.
Out of scope:
- Vulnerabilities in third-party dependencies already tracked by Dependabot (please let those advisories flow through automatically).
- Issues requiring physical access or a compromised maintainer account.
This repository runs several automated controls on every pull request and on a weekly schedule:
| Control | Tool | Gate | Where results appear |
|---|---|---|---|
| Python static analysis (SAST) | Bandit | Blocks on HIGH severity | Security Scan workflow logs |
| IaC misconfiguration scanning | Checkov | Report-only | Security Scan workflow logs |
| Secret scanning | gitleaks | Blocks on any finding | CI workflow logs |
| Dependency advisories | Dependabot alerts & security updates | Auto PRs | Security → Dependabot |
Note: GitHub-native code scanning (CodeQL, SARIF upload to the Security tab) and secret scanning/push protection require GitHub Advanced Security, which is not available on this private repository under the current plan. The Bandit, Checkov, and gitleaks jobs above provide equivalent coverage in CI. If the repository is made public or GHAS is enabled, CodeQL and SARIF upload can be layered on top.
Never commit secrets, API keys, tokens, passwords, .tfvars, or unencrypted
state. The gitleaks CI job blocks pull requests that introduce secrets. If a
secret is exposed, rotate it immediately and notify the maintainers.