GitHub - CaseyLabs/kc-secure-repo-template: Security-hardened GitHub repository template, designed to prevent supply-chain attacks. Includes vulnerability scanning and AI agent skills.

4 min read Original article ↗

A security-hardened repository template for new GitHub projects.

Features

This repo template includes the following default options out of the box:

Security

  • Scanning for vulnerabilities, misconfigurations, and leaked secrets (including Git history)
  • Reproducible builds with pinned SHA checksums to help prevent supply-chain attacks [1]

Developer Workflow

  • Nonroot containers for local development and CI
  • GitHub Actions CI workflow templates
  • Automated dependency update checks
  • AI agentic coding templates

Infrastructure

  • Optional Terraform and Kubernetes Helm scaffolding

Example Output

> make example

==> Build summary
Image: kc-secure-template-example:local
Project config: ./config/project.cfg
Source Code: ./src
Results:
  Container build: passed
  App build: passed
  Lint: passed
  Tests: passed
  Run: passed
  Security scan: passed

Requirements

  • Terminal shell (Linux, MacOS, or WSL)
  • Docker

Quick Start

In a Terminal, run the following:

git clone --depth 1 https://github.com/CaseyLabs/kc-secure-repo-template
cd kc-secure-repo-template

make example    # Builds/tests/runs an example container

Setup

  • Place your source code into the src/ folder

  • Then customize the following files to fit your project/code base:

    • config/project.cfg
    • Dockerfile
    • scripts/*.sh

Usage

# Main Commands
make build    # builds the project as a container image
make test     # run code linters, tests, and source build in the container image
make run      # runs the container
make stop     # stops the contaner

# Misc Commands
make clean    # Removes all previously running containers
make shell    # Opens a shell in the running container
make status   # show the local image and running containers
make logs     # show logs from running containers
make scan     # run security and secret scanning
make update   # Updates the pinned SHA checksums in `./config/lockfile.cfg`
make renovate # Runs self-hosted Renovate for this repository
make dist     # build release artifacts to `./dist`
make k8s      # lint/render/package Helm chart in `./config/k8s/chart`
make k8s-test-local # server-side dry-run using a pinned kubectl image and your kubeconfig
make infra    # build/test/plan Terraform config from `./config/infra`

Repository Layout

.
├── AGENTS.md                 # Repo-specific AI agent guidance
├── CLAUDE.md                 # Claude Code shim that imports AGENTS.md
├── Makefile                  # For all `make` commands
├── Dockerfile                # Default nonroot dev/CI container image
├── docs/                     # Project documentation
├── src/                      # Project source code (built into a container)
├── scripts/                  # Scripts used by the Makefile
├── config/
│   ├── project.cfg           # Project configuration
│   ├── lockfile.cfg          # Pinned SHA checksums for project tooling
│   ├── k8s/                  # Optional Kubernetes Helm scaffold
│   └── infra/                # Terraform example for GitHub repo hardening
├── .github/
│   └── workflows/            # GitHub Actions workflows
└── .agents/
    ├── code_review.md        # Repo-specific AI agent `/review` checklist
    └── skills/               # Repo-specific AI agent skills templates

Documentation

Repo Options

Kubernetes (k8s) Support

Usage:

make k8s    # lint/render/package Helm chart in `./config/k8s/chart`
  • Keep Kubernetes-owned static assets in config/k8s/

AI Agents Commands

This project includes Agentic commands and skills that can be used by AI CLI tools such as Codex CLI, Claude Code, etc.

Example commands:

# Perform a code review, based on the checklist in `.agents/code_review.md`:
/review             

 # Perform a security audit of the repo, using `.agents/skills/security-review`:
$security-review

Dependency Updates

This template also uses third-party tools to automate the upgrade of project images/tools/dependencies via Pull Requests:

  • dependabot:

    • .github/dependabot.yml

  • renovate: will update any tools listed in config/project.cfg

    • .github/renovate.json
    • .github/workflows/renovate.yml

    Note: Renovate requires a GitHub App to be installed in order to operate. To create one, run:

    .github/renovate/setup-github-app.sh

    • If you do not wish to use Renovate in your repo:

      • set DEV_SCAN_ENABLE_RENOVATE=false in config/project.cfg.

Security Scanners

This project uses the following open-source tools as part of its security scanning workflows:

  • actionlint: lints GitHub Actions workflow files.
  • gitleaks: scans the repository, including Git history when available, for leaked secrets.
  • grype: scans the generated SBOM for known vulnerabilities during release builds.
  • syft: generates SBOM output for release artifacts.
  • trivy: scans for Dockerfile misconfigurations in the repository.
  • zizmor: scans GitHub Actions workflows for security footguns.