Security Automation (Frontend Standard)
This document defines the baseline security automation we expect for frontends.
Status: recommended until consistently wired across projects; promote to required once stable.
Tool baseline (recommended)
- Dependabot: dependency update PRs
- npm audit (or equivalent vulnerability scanning) in CI
- gitleaks: secrets scanning in CI
Policy (non-negotiable)
- Do not disable security checks “to make CI green”.
- If suppressions/exclusions are needed, they must be documented in the project repo with rationale and a timebox.
Lint rules (recommended)
Projects should enable ESLint rules that reduce common security footguns, including:
- preventing unsafe
dangerouslySetInnerHTMLusage (via custom lint rules or code review gates) - discouraging leaking
process.envto the client (beyondNEXT_PUBLIC_*)