Taxpoynt logoTaxpoynt
Taxpoynt Docs

Compliance

CI Security Policy

Source file: CI_SECURITY_POLICY.md

This policy defines mandatory shift-left security gates for pull requests and merges to main.

Required GitHub Check Runs

  1. lint
  2. typecheck
  3. test:ci
  4. security-policy

Gate Intent

  1. lint: baseline static analysis and style consistency.
  2. typecheck: prevent unsafe API/runtime regressions at compile time.
  3. test:ci: preserve functional and regression coverage.
  4. security-policy: enforce security-specific controls:
    • Clean database migration smoke (prisma migrate deploy on empty DB)
    • Migration deployment on test DB
    • API SAST gate (@taxpoynt/api lint + typecheck)
    • Production dependency audit (pnpm audit --prod)
    • HTTP DAST SQLi probes (test/health.e2e-spec.ts, test/security-dast.e2e-spec.ts)

Branch Protection Recommendation

For branch main, enable:

  1. Require status checks to pass before merging.
  2. Require branches to be up to date before merging.
  3. Add required checks listed above.
  4. Do not allow bypass except for designated administrators.

Operating Model

  1. Shift-left in CI: block vulnerable code/dependencies before merge.
  2. Shift-right in operations: continue runtime/nightly validation (synthetics, readiness checks, staged security probing).