README.md

July 3, 2026 · View on GitHub

Overview

This directory contains security documentation for HVE Core, demonstrating defense-in-depth security practices.

Documents

DocumentDescription
Security ModelComprehensive security model and security assurance case
Branch ProtectionMain branch protection requirements and repository controls
Dependency PinningPinning strategies and CI enforcement for all dependency types
SBOM VerificationSBOM attestation verification and consumption guide
VEX VerificationDownload, verify, and interpret the published OpenVEX document
FuzzingOSSF Scorecard fuzz harness convention and compliance
Dangerous Workflow DetectionHybrid CI control: a homegrown template-injection gate plus the Poutine supply-chain scanner for GitHub Actions workflows
SECURITY.mdVulnerability disclosure and reporting process

Skill Security Models

Skills that ship executable runtimes (network egress, credential handling, subprocess execution, or untrusted document/content parsing) carry a per-skill STRIDE threat model in a SECURITY.md alongside their SKILL.md. Skills that are pure markdown knowledge packs, or whose scripts only perform local validation with no external surface, do not require one.

SkillRuntime surfaceSecurity model
jiraREST CLI; environment credentialsSECURITY.md
gitlabREST CLI; environment credentials; git-remote subprocessSECURITY.md
mural (experimental)REST CLI; embedded MCP server; OAuth token storeSECURITY.md
tts-voiceover (experimental)Azure Speech egress; key/Entra credentials; SSML + PPTX parsingSECURITY.md
accessibilityArbitrary-URL scan egress; npx @axe-core/cli subprocessSECURITY.md
powerpoint (experimental)Sandboxed content-extra.py execution; LibreOffice/MuPDF parsingSECURITY.md
video-to-gif (experimental)Local CLI (bash + PowerShell); FFmpeg/ffprobe subprocessSECURITY.md
gh-code-scanningGitHub code-scanning read via gh CLI subprocessSECURITY.md
customer-card-render (experimental)Local Python CLI; DT markdown to content.yaml emissionSECURITY.md
vexLocal Python gate; untrusted issue-body + OpenVEX doc parsingSECURITY.md

Security Posture

HVE Core is an enterprise prompt engineering framework that:

  • Contains no runtime services or user data storage
  • Operates as development-time tooling consumed by GitHub Copilot
  • Relies on defense-in-depth with 20+ automated security controls

The security model documents:

  • 36 threats across STRIDE, AI-specific, and Responsible AI categories
  • Security controls mapped to each threat
  • MCP server trust analysis
  • Quantitative security metrics
  • GSN-style assurance argument

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.