From 4dc9dcb17b386d31f0e6df92ce7bd13d4b386cf9 Mon Sep 17 00:00:00 2001
From: Dennis Konkol <dennis@ubuntu.long-agama.ts.net>
Date: Fri, 5 Sep 2025 23:31:53 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Enhanced=20Security=20without=20?=
 =?UTF-8?q?Code=20Scanning?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

✅ Dependabot Configuration:
- Automated dependency updates (weekly)
- Security vulnerability alerts
- GitHub Actions updates
- Automatic PR creation for updates

✅ Enhanced Trivy Scanning:
- Added secret scanning (credentials detection)
- Added configuration scanning (misconfigurations)
- Comprehensive security coverage

✅ Updated Security Policy:
- Added Dependabot to security features
- Added secret and configuration scanning
- Professional security documentation

�� Alternative to Code Scanning:
- Dependabot for dependency security
- Trivy for comprehensive scanning
- No GitHub Advanced Security needed
---
 .github/dependabot.yml      | 39 +++++++++++++++++++++++++++++++++++++
 .github/workflows/ci-cd.yml |  1 +
 SECURITY.md                 |  3 +++
 3 files changed, 43 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b073e95
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,39 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "denshooter"
+    assignees:
+      - "denshooter"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "security"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "denshooter"
+    assignees:
+      - "denshooter"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    labels:
+      - "github-actions"
+      - "security"
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index ae1618a..b4b61bf 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -69,6 +69,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           skip-version-check: true
+          scanners: 'vuln,secret,config'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
diff --git a/SECURITY.md b/SECURITY.md
index 0b3bf57..a841aa6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,11 +14,14 @@ This portfolio project follows semantic versioning and maintains security update
 This portfolio includes the following security measures:
 
 - **Dependency Scanning**: Automated vulnerability scanning with Trivy
+- **Dependabot**: Automated dependency updates and security alerts
 - **Code Quality**: ESLint and TypeScript for secure code practices
 - **Authentication**: Basic Auth protection for admin routes
 - **Environment Security**: Sensitive data stored in environment variables
 - **HTTPS Only**: All production traffic encrypted
 - **Input Validation**: All user inputs are validated and sanitized
+- **Secret Scanning**: Trivy scans for exposed secrets and credentials
+- **Configuration Scanning**: Security misconfigurations detection
 
 ## Reporting a Vulnerability