# ๐Ÿ”ง Black Trigram (ํ‘๊ด˜) CI/CD Workflows This document details the continuous integration and deployment workflows used in the Black Trigram project. The workflows automate testing, security scanning, and release procedures to ensure code quality and security compliance aligned with Hack23 AB's [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) and [Change Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Change_Management.md) standards. **Current TypeScript version: 6.0.3** **Current Product Version: 0.7.33** **Last Updated: 2026-04-28** ## ๐Ÿ” ISMS Policy Alignment Black Trigram's CI/CD workflows implement security controls mandated by Hack23 AB's ISMS framework: | **ISMS Policy** | **Workflow Implementation** | | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | [๐Ÿ› ๏ธ Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) | SAST (CodeQL), SCA (Dependency Review), DAST (ZAP), performance testing | | [๐Ÿ“ Change Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Change_Management.md) | Automated testing gates, security scanning, PR review requirements | | [๐Ÿ” Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) | Dependabot, CodeQL, OSSF Scorecard, security advisories | | [๐Ÿ”“ Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) | SLSA attestations, SBOM generation, license compliance (FOSSA) | | [๐Ÿ” Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) | Security-hardened runners, SHA-pinned actions, least privilege permissions | ## ๐Ÿ“š Related Architecture Documentation
| Document | Focus | Description | | ------------------------------------------------- | ---------------- | --------------------------------------------------------------------------------- | | **[System Architecture](ARCHITECTURE.md)** | ๐Ÿ›๏ธ Architecture | C4 model showing frontend-only Three.js (@react-three/fiber) + React architecture | | **[Combat Architecture](COMBAT_ARCHITECTURE.md)** | โš”๏ธ Game Design | Detailed combat system implementation with Korean martial arts integration | | **[Game Design](game-design.md)** | ๐ŸŽฎ Game Design | Korean martial arts combat mechanics and player archetypes | | **[Audio Assets](AUDIO_ASSETS.md)** | ๐ŸŽต Assets | Korean traditional instrument integration and combat audio | | **[Art Assets](ART_ASSETS.md)** | ๐ŸŽจ Assets | Korean cyberpunk visual design and UI iconography | | **[Future Architecture](FUTURE_ARCHITECTURE.md)** | ๐Ÿ”ฎ Future Vision | Planned features and scalability considerations | | **[Development Guide](development.md)** | ๐Ÿ”ง Development | Security features, testing strategy, and development environment |
## ๐Ÿ”„ Workflow Overview The Black Trigram project uses GitHub Actions for automation with the following security-hardened workflows: 1. **๐Ÿงช Test and Report** - Comprehensive testing with unit tests and E2E tests 2. **๐Ÿš€ Build, Attest and Release** - Secure releases with SLSA attestations 3. **โ˜๏ธ AWS S3 Deployment** - Automated deployment to CloudFront + S3 multi-region 4. **๐Ÿ” CodeQL Analysis** - Security scanning for JavaScript/TypeScript vulnerabilities 5. **๐Ÿ“ฆ Dependency Review** - Vulnerability scanning for dependencies 6. **โญ Scorecard Analysis** - OSSF security scorecard for supply chain security 7. **๐Ÿท๏ธ PR Labeler** - Automated labeling for pull requests 8. **๐Ÿ”’ Setup Labels** - Repository label management 9. **๐Ÿ”† Lighthouse Performance** - Performance auditing using budget.json 10. **๐Ÿ•ท๏ธ ZAP Security Scan** - Dynamic security testing of deployed application 11. **๐Ÿค– Copilot Setup Steps** - GitHub Copilot environment preparation with MCP servers 12. **โ™ฟ Accessibility Test** - WCAG 2.1 Level AA compliance validation 13. **๐Ÿ“ฆ Audit Assets** - Asset reference validation and integrity checking 14. **๐Ÿ“ธ Screenshot Analysis** - Automated UI/UX screenshot capture and analysis 15. **๐Ÿงน Knip - Unused Code Detection** - Static detection of unused files, exports, types, and dependencies on every PR ## ๐Ÿ” Security Hardening Practices Black Trigram implements industry best practices for securing CI/CD pipelines, with StepSecurity hardening for all workflows: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart LR subgraph "๐Ÿ›ก๏ธ Pipeline Security Hardening" PH[Permissions Hardening] --> LAP[Least Access Principle] PS[Pin SHA Versions] --> IDT[Immutable Dependencies] AV[Action Verification] --> TS[Trusted Sources] RH[Runner Hardening] --> AL[Audit Logging] OT[OIDC Tokens] --> EF[Ephemeral Credentials] end subgraph "๐Ÿ”’ Security Measures" AS[Asset Security] --> AC[Asset Verification] DS[Dependency Security] --> PD[Dependency Pinning] BS[Build Security] --> BA[Build Attestations] RS[Release Security] --> SBOM[SBOM Generation] end PH --> AS PS --> DS AV --> BS RH --> RS classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white classDef measures fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white class PH,PS,AV,RH,OT security class AS,DS,BS,RS measures ``` ### Specific Hardening Measures Every workflow in the Black Trigram project implements: 1. **๐Ÿ”’ Permissions Restriction**: Explicit least-privilege permissions 2. **๐Ÿ“Œ SHA Pinning**: All actions pinned to specific SHA hashes 3. **๐Ÿ›ก๏ธ Runner Hardening**: StepSecurity harden-runner for audit logging 4. **๐Ÿ“„ SBOM Generation**: Software Bill of Materials for transparency 5. **๐Ÿ” Build Attestations**: Cryptographic proof of build integrity 6. **โฑ๏ธ Timeout Limits**: Resource exhaustion prevention 7. **๐Ÿ”‘ OIDC Tokens**: Secure authentication without long-lived secrets ## ๐Ÿ—ƒ๏ธ Cache Strategy All workflows use a consistent, non-redundant caching strategy to maximize build speed while minimizing cache storage consumption. ### Cache Action Version All explicit caches use a single pinned version: ```yaml uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 ``` ### npm / Node Modules `actions/setup-node` is configured with `cache: "npm"` in every job that installs Node dependencies. This uses GitHub's built-in npm cache keyed on `package-lock.json` and is the **only** npm cache mechanism used โ€” no additional `actions/cache` step for `~/.npm` is added, which would create a redundant second cache entry for the same data. ### Special Tool Caches Explicit `actions/cache` steps are used **only** for build artifacts that `setup-node` does not cover: | Cache | Path | Key pattern | Used in | |---|---|---|---| | Vite build cache | `node_modules/.vite` | `v2-{OS}-vite-{lockfile-hash}` | build-validation, release build | | Cypress binary | `~/.cache/Cypress` | `v2-cypress-{OS}-{lockfile-hash}` | e2e-tests, release prepare | | Playwright browsers | `~/.cache/ms-playwright` | `v2-playwright-{OS}-{lockfile-hash}` | screenshot-analysis | | APT packages (Chrome) | `/var/cache/apt/archives` | `v2-{OS}-apt-chrome-{workflow-hash}` | e2e-tests, release prepare | | APT packages (Playwright) | `/var/cache/apt/archives` | `v2-{OS}-apt-playwright-{workflow-hash}` | screenshot-analysis | | APT packages (graphviz) | `/var/cache/apt/archives` | `v2-{OS}-apt-graphviz-{workflow-hash}` | report | > **Important โ€” Vite cache ordering**: The Vite build cache step is placed **after** `npm ci`. `npm ci` deletes and recreates `node_modules`, so any cache restored before it would be immediately discarded. By restoring after `npm ci`, the cached `.vite` directory is placed into the freshly-created `node_modules/` and is available for the subsequent build step. ### Cache Key Versioning All cache keys are prefixed with `v2-`. Incrementing this prefix (e.g. to `v3-`) immediately expires every existing cache entry on the next run, without needing to manually delete caches via the GitHub UI. The old `v1`/unversioned entries expire naturally after 7 days of no access. ## ๐Ÿ›ก๏ธ Resilience Against External Registry Failures Browser and system-package installations can hang or fail when third-party registries are slow or unavailable. The following measures are applied across all affected workflows: ### apt-get Resilience - `DEBIAN_FRONTEND=noninteractive` is set to prevent interactive prompts that cause indefinite hangs. - `-qq` flag is used with `apt-get update` to suppress unnecessary output. - `--no-install-recommends` limits the install surface and reduces download size. - All `apt-get` install steps are wrapped in a `timeout-minutes:` step-level limit. ### Chrome Installation Resilience The deprecated `apt-key add` method (which reads from stdin and can block) is replaced with the modern signed-keyring approach: ```bash # Modern method โ€” non-blocking, uses gpg directly curl -fsSL --retry 3 --retry-delay 5 --connect-timeout 30 \ https://dl.google.com/linux/linux_signing_key.pub \ | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] \ https://dl.google.com/linux/chrome/deb/ stable main" \ | sudo tee /etc/apt/sources.list.d/google-chrome.list > /dev/null ``` `curl` is invoked with `--retry 3 --retry-delay 5 --connect-timeout 30` so transient network failures are retried automatically. ### Playwright Installation Resilience `npx playwright install chromium --with-deps` is given a `timeout-minutes: 20` step-level timeout so a slow CDN or broken download does not cause the entire job to hang indefinitely. The timeout is set to 20 minutes (not 10) because on a cache miss, Playwright must download Chromium (~200 MB) plus install OS-level dependencies via apt, which can exceed 10 minutes on slow CDN or congested GitHub Actions runners. The Playwright browser cache (`~/.cache/ms-playwright`) is restored before this step so a successful cache hit skips the download entirely. ## ๐Ÿงช Test and Report Workflow The Test and Report workflow ensures comprehensive quality validation: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Start[๐Ÿš€ Code Push/PR] --> Prepare[๐Ÿ”ง Prepare Environment] Prepare --> BuildVal[๐Ÿ—๏ธ Build Validation] Prepare --> UnitTests[๐Ÿงช Unit Tests] Prepare --> E2ETests[๐ŸŒ E2E Tests] BuildVal --> BuildPass{โœ… Build Success?} UnitTests --> Coverage[๐Ÿ“Š Coverage Report] E2ETests --> CypressArtifacts[๐ŸŽฌ Videos & Screenshots] BuildPass -->|Yes| TestResults[๐Ÿ“‹ Test Results] BuildPass -->|No| FailBuild[โŒ Fail Build] Coverage --> TestResults CypressArtifacts --> TestResults TestResults --> Report[๐Ÿ“ค Upload Reports] classDef startEnd fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef test fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white class Start,Report startEnd class Prepare,BuildVal,TestResults process class UnitTests,E2ETests,Coverage,CypressArtifacts test class BuildPass decision class FailBuild fail ``` ### Testing Components The comprehensive testing approach covers: - **๐Ÿ—๏ธ Build Validation**: Ensures application builds successfully - **๐Ÿงช Unit Testing**: Vitest with coverage reporting - **๐ŸŒ E2E Testing**: Cypress with video recording and screenshots - **๐Ÿ“Š Test Reporting**: JUnit XML and coverage reports - **๐ŸŽฌ Artifact Collection**: Test videos, screenshots, and reports ## ๐Ÿš€ Build, Attest and Release Workflow The secure release workflow handles version management, build attestations, and deployment with SLSA compliance: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿท๏ธ Release Trigger] --> Prepare[๐Ÿ”ง Prepare Release] Prepare --> Build[๐Ÿ—๏ธ Build Package] Build --> Security[๐Ÿ”’ Security Validation] Security --> SBOM[๐Ÿ“„ Generate SBOM] SBOM --> Attestations[๐Ÿ” Create Attestations] Attestations --> Release[๐Ÿ“ฆ Create Release] Release --> Deploy[๐ŸŒ Deploy to Pages] Deploy --> Complete[โœ… Release Complete] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef security fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white classDef deploy fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white class Trigger,Complete trigger class Prepare,Build,Release process class Security,SBOM,Attestations security class Deploy deploy ``` ### Release Management Features - **๐Ÿท๏ธ Tag-based Releases**: Automatic releases on tag push - **๐Ÿ“‹ Manual Releases**: Workflow dispatch with version input - **๐Ÿ”’ Security Attestations**: SLSA Level 3 build provenance - **๐Ÿ“„ SBOM Generation**: Software Bill of Materials in SPDX format - **๐Ÿ“ฆ Artifact Management**: Built application with security attestations - **๐ŸŒ GitHub Pages**: Automated deployment to GitHub Pages (DR) ## โ˜๏ธ AWS S3 Deployment Workflow The AWS deployment workflow handles automatic deployment to CloudFront + S3 multi-region infrastructure with disaster recovery failover to GitHub Pages. ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿ“ Push to Main] --> Prepare[๐Ÿ”ง Environment Setup] Prepare --> S3Deploy[๐Ÿ’พ Sync docs/ to S3 us-east-1] S3Deploy --> CacheHeaders[โšก Set Cache Headers] CacheHeaders --> CFInvalidate[๐Ÿ”„ Invalidate CloudFront] CFInvalidate --> Complete[โœ… Deployment Complete] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef process fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white classDef complete fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white class Trigger trigger class Prepare process class S3Deploy,CacheHeaders,CFInvalidate aws class Complete complete ``` **Note**: GitHub Pages disaster recovery is deployed separately via `release.yml` on tagged releases, not as part of the main AWS deployment workflow. ### AWS Deployment Features - **โ˜๏ธ CloudFront CDN**: Global content delivery with edge caching - **๐Ÿ’พ S3 Storage**: Primary deployment to us-east-1 with S3 replication (if configured at infrastructure level) - **โšก Cache Optimization**: Aggressive caching for static assets (1 year) - CSS/JS: `max-age=31536000, immutable` - Images: `max-age=31536000, immutable` - HTML: `max-age=3600, must-revalidate` - Fonts: `max-age=31536000, immutable` - **๐Ÿ”„ CloudFront Invalidation**: Automatic cache invalidation on deployment - **๐Ÿ“ก Route53 Integration**: DNS management with health checks - **๐Ÿ” AWS IAM**: OIDC authentication with role-based access - **๐Ÿ“„ GitHub Pages DR**: Deployed separately on tagged releases (via `release.yml`) for disaster recovery - **๐Ÿ›ก๏ธ Security**: StepSecurity harden-runner with egress policy ### Deployment Architecture The workflow deploys to a multi-tier infrastructure: 1. **Primary**: CloudFront โ†’ S3 (us-east-1) 2. **Disaster Recovery**: GitHub Pages (release-based), activated via Route53 failover ### AWS Credentials The workflow uses AWS OIDC (OpenID Connect) for secure authentication: - **Role**: `GithubWorkFlowRole` in AWS IAM - **Region**: `us-east-1` (primary) - **S3 Bucket**: `blacktrigram-frontend-us-east-1-172017021075` - **CloudFormation Stack**: `blacktrigram-frontend` ## ๐Ÿ” Security Analysis Workflows Multiple security scanning workflows protect the application: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart LR subgraph "๐Ÿ”’ Static Security Analysis" CodeQL[๐Ÿ” CodeQL Analysis] Deps[๐Ÿ“ฆ Dependency Review] Score[โญ Scorecard Analysis] end subgraph "๐Ÿ•ท๏ธ Dynamic Security Testing" ZAP[๐Ÿ•ท๏ธ ZAP DAST Scan] Light[๐Ÿ”† Lighthouse Audit] end subgraph "๐Ÿ“Š Security Reporting" SecTab[๐Ÿ›ก๏ธ GitHub Security Tab] Artifacts[๐Ÿ“„ Security Artifacts] Badge[๐Ÿ† Security Badge] end CodeQL --> SecTab Deps --> SecTab Score --> Badge ZAP --> Artifacts Light --> Artifacts classDef static fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef dynamic fill:#e67e22,stroke:#d35400,stroke-width:1.5px,color:white classDef report fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white class CodeQL,Deps,Score static class ZAP,Light dynamic class SecTab,Artifacts,Badge report ``` ### ๐Ÿ” CodeQL Analysis Comprehensive static analysis for JavaScript/TypeScript vulnerabilities: - **๐Ÿšจ Vulnerability Detection**: Identifies security issues in code - **๐Ÿ“Š Weekly Scanning**: Scheduled analysis for continuous monitoring - **๐Ÿ”’ SARIF Reports**: Results uploaded to GitHub Security tab ### ๐Ÿ“ฆ Dependency Review Automated scanning for dependency vulnerabilities: - **โš ๏ธ CVE Detection**: Identifies known vulnerabilities in dependencies - **๐Ÿ“‹ PR Comments**: Automatic comments on pull requests with findings - **๐Ÿšซ Blocking**: Can block merges with vulnerable dependencies ### โญ OSSF Scorecard Supply chain security assessment: - **๐Ÿ† Security Score**: Public transparency with security badge - **๐Ÿ“ฆ Dependency Management**: Checks for pinned versions and updates - **๐Ÿ” Code Signing**: Validates commit signing and release integrity - **๐Ÿ›ก๏ธ Branch Protection**: Verifies branch protection settings ## ๐Ÿท๏ธ Automated Labeling System Intelligent pull request labeling for development workflows: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD PR[๐Ÿ“ Pull Request] --> Analysis[๐Ÿ” File Analysis] Analysis --> Labels{๐Ÿท๏ธ Label Categories} Labels --> Feature[๐Ÿš€ Features & Enhancements] Labels --> Bug[๐Ÿ› Bug Fixes] Labels --> Docs[๐Ÿ“ Documentation] Labels --> Security[๐Ÿ”’ Security] Labels --> Testing[๐Ÿงช Testing] Labels --> Deps[๐Ÿ“ฆ Dependencies] Feature --> Apply[๐Ÿท๏ธ Apply Labels] Bug --> Apply Docs --> Apply Security --> Apply Testing --> Apply Deps --> Apply classDef pr fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef analysis fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black classDef labels fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef apply fill:#e67e22,stroke:#d35400,stroke-width:2px,color:white class PR pr class Analysis analysis class Labels decision class Feature,Bug,Docs,Security,Testing,Deps labels class Apply apply ``` ### Label Categories The labeler automatically applies labels based on file changes: - **๐Ÿš€ feature** - New features and enhancements - **๐Ÿ› bug** - Bug fixes and patches - **๐Ÿ“ documentation** - Documentation updates - **๐Ÿ”’ security** - Security improvements and fixes - **๐Ÿงช testing** - Test improvements and coverage - **๐Ÿ“ฆ dependencies** - Dependency updates - **๐ŸŽจ ui** - User interface changes - **๐Ÿ—๏ธ infrastructure** - Build and CI/CD changes ## ๐Ÿ”† Performance Monitoring Lighthouse performance auditing using the budget.json configuration: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Deploy[๐ŸŒ Deployment] --> Lighthouse[๐Ÿ”† Lighthouse Audit] Lighthouse --> Performance[โšก Performance Metrics] Lighthouse --> Budget[๐Ÿ“Š Budget Validation] Performance --> Metrics[๐Ÿ“ˆ Core Web Vitals] Budget --> Limits[โš ๏ธ Budget Limits] Metrics --> Report[๐Ÿ“‹ Performance Report] Limits --> Report classDef deploy fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white classDef audit fill:#f39c12,stroke:#e67e22,stroke-width:1.5px,color:black classDef metrics fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef report fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white class Deploy deploy class Lighthouse audit class Performance,Budget,Metrics,Limits metrics class Report report ``` ### Performance Budget (budget.json) The Lighthouse workflow tests against specific performance budgets: - **โšก Interactive**: 6000ms budget - **๐ŸŽจ First Contentful Paint**: 3500ms budget - **๐Ÿ“ Largest Contentful Paint**: 4000ms budget - **โฑ๏ธ Total Blocking Time**: 1600ms budget - **๐Ÿ“ Cumulative Layout Shift**: 0.1 budget - **๐Ÿš€ Speed Index**: 5000ms budget ### Resource Budgets - **๐Ÿ“œ Scripts**: 180KB budget - **๐Ÿ–ผ๏ธ Images**: 200KB budget - **๐ŸŽจ Stylesheets**: 50KB budget - **๐Ÿ“„ Document**: 20KB budget - **๐Ÿ”ค Fonts**: 50KB budget - **๐Ÿ“ฆ Total**: 500KB budget ## ๐Ÿ•ท๏ธ Dynamic Security Testing ZAP security scanning of the deployed application: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Deployed[๐ŸŒ Deployed Application] --> ZAP[๐Ÿ•ท๏ธ ZAP Security Scan] ZAP --> WebVulns[๐Ÿ” Web Vulnerabilities] ZAP --> OWASP[๐Ÿ›ก๏ธ OWASP Top 10] WebVulns --> SecurityReport[๐Ÿ“‹ Security Report] OWASP --> SecurityReport classDef deployed fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:white classDef scan fill:#e74c3c,stroke:#c0392b,stroke-width:1.5px,color:white classDef vuln fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef report fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white class Deployed deployed class ZAP scan class WebVulns,OWASP vuln class SecurityReport report ``` ### Security Testing Focus - **๐Ÿ” Vulnerability Scanning**: OWASP ZAP full scan of deployed application - **๐Ÿ›ก๏ธ OWASP Top 10**: Testing against common web vulnerabilities - **๐ŸŒ Dynamic Testing**: Live application security assessment - **๐Ÿ“‹ Issue Creation**: Optional GitHub issue creation for vulnerabilities ## ๐Ÿค– Copilot Setup Steps Workflow GitHub Copilot environment preparation with Model Context Protocol (MCP) servers: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿš€ Workflow Trigger] --> Setup[๐Ÿ”ง Environment Setup] Setup --> Chrome[๐ŸŒ Chrome Installation] Setup --> Node[๐Ÿ“ฆ Node.js 26] Setup --> ThreeJS[๐ŸŽฎ Three.js Test Environment] Chrome --> WebGL[๐ŸŽจ WebGL Support] Node --> Dependencies[๐Ÿ“ฆ npm ci] ThreeJS --> Xvfb[๐Ÿ–ฅ๏ธ Xvfb Display Server] WebGL --> Cypress[๐Ÿงช Cypress Verification] Dependencies --> Cypress Xvfb --> Cypress Cypress --> Ready[โœ… Copilot Ready] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef setup fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef install fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef ready fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black class Trigger trigger class Setup,Node,Chrome,ThreeJS setup class WebGL,Dependencies,Xvfb,Cypress install class Ready ready ``` ### Copilot Environment Features - **๐ŸŒ Complete Three.js Test Environment**: Chrome with WebGL, Xvfb for headless rendering - **๐Ÿ“ฆ Node.js 26**: Active CI baseline with npm caching for faster builds - **๐ŸŽฎ Gaming Test Infrastructure**: Fonts, graphics libraries, Korean language support - **๐Ÿ”ง MCP Server Integration**: GitHub, filesystem, git, memory, sequential-thinking, playwright servers - **๐Ÿ”’ Security Hardening**: StepSecurity harden-runner with egress policy auditing - **๐Ÿ“Š Environment Validation**: Comprehensive display of setup status and version info - **โšก Performance Optimized**: APT package caching, dependency caching, build artifact caching ### MCP Servers Available The workflow sets up the following MCP servers for enhanced Copilot capabilities: - **github**: Repository data, issues, PRs, workflows (with PAT for cross-repo access) - **filesystem**: Secure filesystem access for reading/editing project files - **git**: Git operations and repository history context - **memory**: Conversation history and context between agent sessions - **sequential-thinking**: Step-by-step problem-solving capabilities - **playwright**: Browser automation for testing and debugging (enabled) - **brave-search**: Documentation search (disabled by default) - **aws**: AWS infrastructure operations (disabled by default) ## โ™ฟ Accessibility Testing Workflow WCAG 2.1 Level AA compliance validation for Korean-English bilingual UI: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿ”„ PR/Push Trigger] --> AxeTests[โ™ฟ axe-core Tests] Trigger --> ColorTests[๐ŸŽจ Color Contrast Tests] AxeTests --> ARIAValidation[๐Ÿท๏ธ ARIA Labels] AxeTests --> KeyboardNav[โŒจ๏ธ Keyboard Navigation] AxeTests --> FocusIndicators[๐Ÿ” Focus Indicators] ColorTests --> TextContrast[๐Ÿ“ Text Contrast 4.5:1] ColorTests --> UIContrast[๐ŸŽจ UI Contrast 3:1] ARIAValidation --> Report[๐Ÿ“‹ Accessibility Report] KeyboardNav --> Report FocusIndicators --> Report TextContrast --> Report UIContrast --> Report Report --> PRComment[๐Ÿ’ฌ PR Comment] Report --> Artifacts[๐Ÿ“ฆ Upload Artifacts] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef test fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef validation fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef report fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black class Trigger trigger class AxeTests,ColorTests test class ARIAValidation,KeyboardNav,FocusIndicators,TextContrast,UIContrast validation class Report,PRComment,Artifacts report ``` ### Accessibility Standards Black Trigram implements comprehensive accessibility testing for inclusive gaming: - **โ™ฟ WCAG 2.1 Level AA Compliance**: Full conformance with international accessibility standards - **๐ŸŽจ Color Contrast**: 4.5:1 for text, 3:1 for UI components on Korean cyberpunk theme - **โŒจ๏ธ Keyboard Navigation**: Full game control without mouse (WASD, 1-8 stances, Space, B, V) - **๐Ÿท๏ธ Bilingual ARIA**: Korean-English labels for all interactive elements - **๐Ÿ” Focus Management**: Visible focus indicators meeting 3:1 contrast - **๐ŸŽฎ Gaming-Specific**: Dialog semantics, progress bars, timers with proper ARIA roles ### Components Tested - **VirtualDPad**: Mobile touch controls with button groups - **StanceWheel**: Eight trigram stance selector with radiogroup semantics - **PauseMenu**: Dialog with escape key and modal behavior - **HealthBar/StaminaBar**: Progress bars with live regions - **CombatTimer**: Timer with countdown announcements - **BilingualText**: Korean-English dual labels with proper language tagging ## ๐Ÿ“ฆ Asset Audit Workflow Automated validation of asset references and integrity: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿ”„ Code/Asset Changes] --> Audit[๐Ÿ” Asset Audit Script] Audit --> Images[๐Ÿ–ผ๏ธ Image References] Audit --> Audio[๐ŸŽต Audio Files] Audit --> Fonts[๐Ÿ”ค Font Files] Images --> Validate[โœ… Validate Existence] Audio --> Validate Fonts --> Validate Validate --> Pass{All Valid?} Pass -->|Yes| Success[โœ… Audit Passed] Pass -->|No| PRComment[โŒ PR Comment with Missing Assets] Success --> Complete[๐ŸŽ‰ Complete] PRComment --> Fail[โŒ Workflow Failed] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef audit fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef check fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef decision fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black classDef fail fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:white class Trigger trigger class Audit,Images,Audio,Fonts audit class Validate,Success,Complete check class Pass decision class PRComment,Fail fail ``` ### Asset Validation Features - **๐Ÿ–ผ๏ธ Image References**: Validates all image imports and public asset references - **๐ŸŽต Audio Files**: Checks audio file existence for Howler.js integration - **๐Ÿ”ค Font Files**: Validates Korean and English font availability - **๐Ÿ“ฆ Dependency Tracking**: Ensures assets match code references - **๐Ÿ” Automated Detection**: Runs on code and asset changes - **๐Ÿ’ฌ PR Feedback**: Automatic comments on pull requests for missing assets ## ๐Ÿ“ธ Screenshot Analysis Workflow Automated UI/UX screenshot capture for visual regression and documentation: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿ”„ PR Trigger] --> SetupEnv[๐Ÿ”ง Playwright Setup] SetupEnv --> BuildApp[๐Ÿ—๏ธ Build Application] BuildApp --> Xvfb[๐Ÿ–ฅ๏ธ Start Xvfb Display] Xvfb --> CaptureIntro[๐Ÿ“ธ Capture IntroScreen] CaptureIntro --> CaptureCombat[๐Ÿ“ธ Capture CombatScreen] CaptureCombat --> CaptureSettings[๐Ÿ“ธ Capture SettingsScreen] CaptureSettings --> Upload[๐Ÿ“ฆ Upload Artifacts] Upload --> PostPR[๐Ÿ’ฌ Post to PR] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef setup fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef capture fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef output fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black class Trigger trigger class SetupEnv,BuildApp,Xvfb setup class CaptureIntro,CaptureCombat,CaptureSettings capture class Upload,PostPR output ``` ### Screenshot Capabilities - **๐Ÿ“ธ Automated Capture**: Playwright-based screenshot generation for all game screens - **๐ŸŽฎ Three.js Rendering**: WebGL rendering with SwiftShader in headless environment - **๐Ÿ–ฅ๏ธ Multiple Resolutions**: Desktop (1280x1024) and mobile (375x667) screenshots - **๐ŸŽจ Visual Documentation**: Automatic UI/UX documentation for PRs - **๐Ÿ“Š Retention**: 30-day artifact retention for comparison - **๐Ÿ‡ฐ๐Ÿ‡ท Korean UI**: Captures bilingual Korean-English interface elements - **๐Ÿ” PR Integration**: Posts screenshots directly to pull request for review ## ๐Ÿงน Knip - Unused Code Detection Automated detection of unused files, exports, types, and dependencies on every pull request: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TD Trigger[๐Ÿ”„ PR Trigger] --> Setup[๐Ÿ”ง Node.js Setup] Setup --> Install[๐Ÿ“ฆ npm ci] Install --> KnipText[๐Ÿงน Run Knip - text report] Install --> KnipJson[๐Ÿ“Š Run Knip - JSON report] KnipText --> Summary[๐Ÿ“ Job Summary Table] KnipJson --> Summary Summary --> Artifact[๐Ÿ“ฆ Upload knip-report artifact] Artifact --> Status[โœ…/โš ๏ธ Notice or Warning] classDef trigger fill:#3498db,stroke:#2980b9,stroke-width:2px,color:white classDef step fill:#9b59b6,stroke:#8e44ad,stroke-width:1.5px,color:white classDef report fill:#27ae60,stroke:#1e8449,stroke-width:1.5px,color:white classDef output fill:#f39c12,stroke:#e67e22,stroke-width:2px,color:black class Trigger trigger class Setup,Install step class KnipText,KnipJson,Summary report class Artifact,Status output ``` ### Knip Capabilities - **๐Ÿ—„๏ธ Unused Files**: Source files not reachable from any entry point - **๐Ÿ“ค Unused Exports**: Exported symbols never imported elsewhere - **๐Ÿ”ค Unused Types & Enum Members**: Type aliases, interfaces, and enum members with no consumers - **โ™ป๏ธ Duplicate Exports**: Symbols exported multiple times (e.g. named + default) - **๐Ÿ“ฆ Unused Dependencies**: `dependencies` / `devDependencies` declared in `package.json` but never imported - **๐Ÿ” Unlisted Dependencies**: Imports not declared in `package.json` - **๐Ÿ“Š Job Summary**: Markdown table summarising counts per category, posted to the GitHub Actions run summary - **๐Ÿ“ Artifact Retention**: 14-day retention of `knip-report.txt` and `knip-report.json` for review - **โš ๏ธ Advisory Mode**: Surfaces findings as warnings without blocking PRs while the codebase is being cleaned up; promote to a hard gate once findings are at zero ### Knip Configuration (`knip.json`) The project uses a comprehensive `knip.json` that covers: - **Application entry points**: `src/main.tsx`, `src/index.ts`, all public library subpath entries (`src/audio/index.ts`, `src/systems/*/index.ts`, `src/components/**/index.ts`, etc.) - **Build & tool configs**: `vite.config.ts`, `vite.lib.config.ts`, `vitest.config.ts`, `cypress.config.ts`, `eslint.config.js`, `vite-plugins/**/*.ts`, `generate-sitemaps.js` - **Automation scripts**: `scripts/**/*.{ts,js,cjs,mjs}` (audits, asset generation, screenshot capture, validation โ€” invoked from `package.json` scripts and CI workflows) - **Cypress entries**: `cypress.config.ts`, `cypress/e2e/**/*.{spec,cy}.{ts,tsx}`, `cypress/support/**/*.ts`, `cypress/plugins/**/*.{ts,js}` - **Test files**: `src/**/*.{test,spec}.{ts,tsx}`, `src/**/__tests__/**/*.{ts,tsx}`, `src/test/setup.ts` - **Plugin integration**: TypeScript (`tsconfig*.json`), Vite, Vitest, Cypress, ESLint plugin configs are wired up so knip understands their conventions - **Ignored dependencies**: Reporters and peer-dep adapters that aren't imported directly (`mochawesome*`, `cypress-junit-reporter`, `vite-bundle-analyzer`, `typedoc-plugin-*`, `postprocessing` peer) ### Local Usage Developers can run knip locally before pushing: ```bash npm run knip # full report npm run find:unused # alias for npm run knip npm run knip -- --reporter json > knip-report.json ``` ## Workflow Integration & Dependencies The complete CI/CD pipeline shows how all workflows interact: ```mermaid %%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#2979FF','primaryTextColor':'#fff','primaryBorderColor':'#0D47A1','lineColor':'#00C853','secondaryColor':'#FFD600','tertiaryColor':'#FF3D00'}}}%% flowchart TB subgraph "๐Ÿ”„ Continuous Integration" PR[๐Ÿ“ Pull Request] --> TestReport[๐Ÿงช Test & Report] PR --> DepReview[๐Ÿ“ฆ Dependency Review] PR --> Labeler[๐Ÿท๏ธ PR Labeler] PR --> A11yTest[โ™ฟ Accessibility Test] PR --> AssetAudit[๐Ÿ“ฆ Asset Audit] PR --> Screenshots[๐Ÿ“ธ Screenshot Analysis] PR --> Knip[๐Ÿงน Knip Unused Code] TestReport --> CodeQL[๐Ÿ” CodeQL Analysis] end subgraph "๐Ÿš€ Continuous Deployment" Release[๐Ÿท๏ธ Release Trigger] --> Build[๐Ÿ—๏ธ Build & Attest] Build --> ReleaseDeploy[๐Ÿ“ฆ Release Artifacts] Build --> GHPagesDeploy[๐Ÿ“„ Deploy to GitHub Pages DR] Main[๐ŸŒŸ Main Branch] --> AWSDeployTrigger[โ˜๏ธ AWS Deploy Trigger] AWSDeployTrigger --> S3Deploy[๐Ÿ’พ Deploy to S3 + CloudFront] S3Deploy --> Lighthouse[๐Ÿ”† Lighthouse Audit] S3Deploy --> ZAPScan[๐Ÿ•ท๏ธ ZAP Security Scan] end subgraph "๐Ÿ“Š Continuous Monitoring" Schedule[โฐ Scheduled] --> Scorecard[โญ Scorecard Analysis] Schedule --> CodeQLScheduled[๐Ÿ” CodeQL Weekly] end subgraph "๐Ÿค– Developer Experience" CopilotTrigger[๐Ÿ”ง Copilot Setup] --> CopilotEnv[๐Ÿค– MCP Servers & Environment] CopilotEnv --> AgentReady[โœ… Agent Ready] end subgraph "๐Ÿ› ๏ธ Repository Management" LabelSetup[๐Ÿ”’ Setup Labels] --> LabelsReady[โœ… Labels Created] LabelsReady -.->|enables| Labeler end PR -.->|"approved & merged"| Main Main --> CodeQL Main -.->|"tag created"| Release classDef integration fill:#a0c8e0,stroke:#2980b9,stroke-width:1.5px,color:black classDef deployment fill:#86b5d9,stroke:#27ae60,stroke-width:1.5px,color:black classDef aws fill:#FF9900,stroke:#232F3E,stroke-width:1.5px,color:white classDef monitoring fill:#d1c4e9,stroke:#8e44ad,stroke-width:1.5px,color:black classDef trigger fill:#bbdefb,stroke:#e67e22,stroke-width:1.5px,color:black classDef devex fill:#ffccbc,stroke:#ff5722,stroke-width:1.5px,color:black classDef repo fill:#c5e1a5,stroke:#689f38,stroke-width:1.5px,color:black class PR,TestReport,DepReview,Labeler,CodeQL,A11yTest,AssetAudit,Screenshots,Knip integration class Release,Build,ReleaseDeploy,Lighthouse,ZAPScan deployment class AWSDeployTrigger,AWSBuild,S3Deploy,GHPagesDeploy aws class Schedule,Scorecard,CodeQLScheduled monitoring class Main trigger class CopilotTrigger,CopilotEnv,AgentReady devex class LabelSetup,LabelsReady repo ``` ## ๐Ÿ” Security Compliance ### OSSF Scorecard Integration - **Automated scoring** of supply chain security practices - **Public transparency** with security badge - **Continuous monitoring** of security posture ### Supply Chain Protection - **Pinned dependencies** - All GitHub Actions pinned to SHA hashes - **Dependency scanning** - Automated vulnerability detection - **SLSA compliance** - Build integrity and provenance - **Signed artifacts** - Cryptographic verification of releases ### Build Attestations Every release includes: - **๐Ÿ“„ SBOM**: Software Bill of Materials in SPDX format - **๐Ÿ” Build Provenance**: SLSA-compliant attestations - **๐Ÿ” Artifact Signing**: Cryptographic signatures - **โœ… Verification**: GitHub CLI verification commands --- **ํ‘๊ด˜์˜ ๊ธธ์„ ๊ฑธ์–ด๋ผ** - _Walk the Path of the Black Trigram_ The CI/CD workflows ensure that every aspect of the application meets the highest standards of quality, security, and reliability through automated testing, security scanning, and secure release management. --- ## ๐Ÿ“š Related Documents ### ๐Ÿ” ISMS Policies - [๐Ÿ› ๏ธ Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC standards - [๐Ÿ“ Change Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Change_Management.md) - Risk-controlled change processes - [๐Ÿ” Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) - Security testing procedures - [๐Ÿ”“ Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source governance and licensing - [๐Ÿ” Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance ### ๐Ÿ›ก๏ธ Black Trigram Security Documentation - [๐Ÿ›ก๏ธ Security Architecture](./SECURITY_ARCHITECTURE.md) - Current security implementation - [๐ŸŽฏ Threat Model](./THREAT_MODEL.md) - STRIDE analysis and attack trees - [๐Ÿ”’ Security Policy](./SECURITY.md) - Vulnerability reporting - [๐Ÿ—บ๏ธ ISMS Reference Mapping](./ISMS_REFERENCE_MAPPING.md) - Complete ISMS policy mapping ### ๐Ÿ”ง Development Documentation - [๐Ÿ”ง Development Guide](./development.md) - Security features and testing strategy - [๐Ÿ“ Architecture](./ARCHITECTURE.md) - Overall system design - [โš”๏ธ Combat Architecture](./COMBAT_ARCHITECTURE.md) - Combat system implementation - [๐Ÿงช Unit Test Plan](./UnitTestPlan.md) - Unit testing strategy - [๐ŸŽฏ E2E Test Plan](./E2ETestPlan.md) - End-to-end testing documentation --- **๐Ÿ“‹ Document Control:** **โœ… Approved by:** James Pether Sรถrling, CEO **๐Ÿ“ค Distribution:** Public **๐Ÿท๏ธ Classification:** [![Confidentiality: Public](https://img.shields.io/badge/C-Public-lightgrey?style=flat-square&logo=shield&logoColor=black)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md#confidentiality-levels) [![Integrity: Moderate](https://img.shields.io/badge/I-Moderate-yellow?style=flat-square&logo=check-circle&logoColor=black)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md#integrity-levels) [![Availability: Standard](https://img.shields.io/badge/A-Standard-lightgreen?style=flat-square&logo=server&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md#availability-levels) **๐Ÿ“… Effective Date:** 2026-04-28 **โฐ Next Review:** 2026-10-28 **๐ŸŽฏ Framework Compliance:** [![ISO 27001](https://img.shields.io/badge/ISO_27001-2022_Aligned-blue?style=flat-square&logo=iso&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) [![NIST CSF 2.0](https://img.shields.io/badge/NIST_CSF-2.0_Aligned-green?style=flat-square&logo=nist&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) [![CIS Controls](https://img.shields.io/badge/CIS_Controls-v8.1_Aligned-orange?style=flat-square&logo=cisecurity&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md)