Threat Model
Scope
This threat model covers the engineering-journal-kb repository, its CI/CD pipelines, the deployed site at chrisnewcomb.name, and the Cloudflare infrastructure in front of it.
Attack Surfaces
1. GitHub Repository
Components at risk: source code, workflows, secrets, branch protection, CODEOWNERS.
Threats: unauthorized push, workflow injection, secret exfiltration, branch protection bypass.
Mitigations: branch protection rules, signed commits policy, SHA-pinned actions, workflow injection hardening, CODEOWNERS integrity check, audit log monitoring.
2. CI/CD Pipelines
Components at risk: GitHub Actions workflows, npm/Python dependencies, build artifacts.
Threats: supply chain attack via compromised action or dependency, secret leakage in CI output, fork bomb via unlimited concurrent runs.
Mitigations: SHA-pinned actions, dependency audit workflow, npm lockfile integrity check, CI output sanitization (MegaLinter report-only mode), concurrency limits on all workflows, malware pattern scanner on PR diffs.
3. Dependencies (npm and Python)
Components at risk: 1400+ npm packages, 4 Python packages.
Threats: malicious package update, compromised maintainer account, typosquatting.
Mitigations: dependency audit workflow (weekly), npm audit signatures, pip-audit, SBOM generation on release, pinned versions in package.json, lockfile integrity check.
4. Deployed Site (chrisnewcomb.name)
Components at risk: static HTML/CSS/JS served via Cloudflare Pages.
Threats: XSS (mitigated by CSP), clickjacking (mitigated by X-Frame-Options), content injection, DNS hijacking.
Mitigations: Cloudflare WAF managed ruleset, CSP headers, security headers, DNSSEC, CAA records, TLS 1.2 minimum, Full Strict SSL mode.
5. Cloudflare Account
Components at risk: DNS records, WAF rules, Pages deployments, API tokens.
Threats: account compromise, DNS record modification, WAF rule tampering.
Mitigations: Cloudflare account security (2FA), API token rotation (90-day policy), Zero Trust ready for future admin endpoints, audit of Cloudflare configuration documented in governance.
6. Content
Components at risk: markdown files, frontmatter metadata, canary tokens.
Threats: accidental PII disclosure, secret leakage in content, content tampering.
Mitigations: content security scanner (PII/secrets), Gitleaks, commit message secret scanning, canary tokens for intrusion detection, pre-commit validation pipeline.
Threat Actors
| Actor | Motivation | Capability | Likelihood |
|---|---|---|---|
| Automated bot | Credential harvesting | Low (scanning public repos) | High |
| Opportunistic attacker | Supply chain exploitation | Medium | Medium |
| Targeted attacker | Credential theft, reputation damage | High | Low |
Blast Radius Analysis
| Scenario | Impact | Recovery Time |
|---|---|---|
| GitHub token leaked | Repo write access until rotated | Minutes (revoke + rotate) |
| npm dependency backdoored | Malicious code in deployed site | Hours (identify + pin clean version) |
| Cloudflare account compromised | DNS hijack, content modification | Hours (Cloudflare support + DNS propagation) |
| Repository deleted | Full loss if no backup | Hours (restore from local clone) |
| Canary token triggered | Alert only, no damage | N/A (informational) |
Gaps and Future Work
- Automated backup/export of site content (Phase 9, #373)
- OIDC for deployments to eliminate long-lived tokens (deferred)
- Sigstore attestation for build artifacts (deferred)
- Content integrity checksums between build and deploy (deferred)
Review Schedule
This threat model should be reviewed quarterly and whenever the architecture changes significantly (new deployment targets, new CI tools, new authentication mechanisms).