04 GitHub Handbook / Repository Security Baseline
04 GitHub Handbook

Repository Security Baseline

The minimum security settings for new Cloudberrie private repositories.

Document: INF-112Type: StandardStatus: ApprovedOwner: Cloudberrie StudioVersion: 4.2.0Updated: 2026-07-17

Current Repository Baseline

GitHub code security and analysis settings
The actual cb-website private repository security options on GitHub Free.
FeatureCloudberrie standardReason
Dependency GraphEnabledIdentifies dependencies and supports vulnerability alerts.
Automatic Dependency SubmissionDisabled initiallyLock files are sufficient for the current project; revisit with advanced build workflows.
Dependabot AlertsEnableNotifies Cloudberrie about known vulnerable dependencies.
Dependabot Security UpdatesEnableCreates security-fix pull requests when patches are available.
Grouped Security UpdatesDisabled initiallyKeep early security changes small and easier to review.
Dependabot Version UpdatesDisabled initiallyGeneral upgrades are reviewed intentionally to reduce breaking changes.
Secret scanning / Code scanningReview when availableVisibility depends on repository type, GitHub plan, and enabled products.

Repository Hardening Checklist

Ruleset Timing

Cloudberrie intentionally defers a strict main ruleset until the first GitHub-to-Cloudflare deployment flow has been validated. After validation, introduce branch protection, pull requests, force-push blocking, and deletion protection.