Skip to content

Add security threat model documentation#9

Merged
ChrisJBurns merged 4 commits intomainfrom
docs/threat-model
Jan 15, 2026
Merged

Add security threat model documentation#9
ChrisJBurns merged 4 commits intomainfrom
docs/threat-model

Conversation

@ChrisJBurns
Copy link
Collaborator

@ChrisJBurns ChrisJBurns commented Jan 15, 2026

Summary

Adds a comprehensive security threat model for the Releaseo GitHub Action in SECURITY.md.

Contents

  • Trust boundaries: Diagrams showing where untrusted data enters the system
  • Data flow: How inputs flow through action.yml to the Go binary
  • Asset inventory: Critical assets (tokens, files) with sensitivity ratings
  • Threat actors: Malicious workflow authors, PR authors, compromised dependencies, insiders
  • Threat enumeration: 8 threats analyzed using STRIDE methodology
    • T1: Shell injection via inputs ✅ Mitigated
    • T2: Command injection via helm-docs ✅ Mitigated
    • T3: Path traversal ✅ Mitigated
    • T4: YAML injection ✅ Mitigated
    • T5: Token exposure ⚠️ Partially mitigated
    • T6: DoS via large files ⚠️ Low risk
    • T7: Supply chain attacks ⚠️ Recommendations provided
    • T8: Git branch manipulation ⚠️ Low risk
  • Security controls: Summary of implemented and recommended controls
  • Token permissions: Minimum required GitHub token permissions
  • User checklist: Security best practices for action users

Test plan

  • Document renders correctly in GitHub markdown
  • Review by security team

🤖 Generated with Claude Code

ChrisJBurns and others added 4 commits January 15, 2026 22:39
@ChrisJBurns @claude
Add security threat model documentation
fe98c0b 
Comprehensive threat model covering:
- Trust boundaries and data flow diagrams
- Asset inventory with sensitivity ratings
- Threat actor analysis
- STRIDE-based threat enumeration with mitigations
- Security controls summary (implemented and recommended)
- Minimum token permissions guidance
- Security checklist for users

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ChrisJBurns @claude
Add practical risk assessment notes to threat model
62ebe89 
Clarifies that input-based threats (T1-T4) require attacker to control
workflow inputs, which means they already need maintainer access for
release-triggered workflows.

- Add practical notes to each input-based threat
- Add new "Practical Risk Assessment" section explaining:
  - Intended usage patterns (maintainer-triggered releases)
  - Threat realism by trigger type
  - Why input-based threats are defense-in-depth for this use case
  - Why we still implement these controls

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ChrisJBurns @claude
Update threat model to reflect accepted risks for maintainer-only usage
7f0011d 
Since the action is designed to be triggered only by maintainers (not
external users via PRs), input-based threats T1-T3 are accepted risks
rather than mitigated:

- T1 (Shell Injection): Accepted - attacker needs maintainer access
- T2 (Command Injection): Accepted - maintainers control helm-docs args
- T3 (Path Traversal): Accepted - maintainers control file paths

Updated:
- Changed mitigation status from ✅ to ⏸️ for T1-T3
- Added "Accepted Risks" section explaining the rationale
- Updated Security Controls Summary to show implemented vs not implemented
- Added warning that risks should be re-evaluated if usage model changes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ChrisJBurns
dadds threat model for action
882eb61 
Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
@ChrisJBurns ChrisJBurns merged commit f1ae324 into main Jan 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChrisJBurns