Proof, Not Promises: Secure-by-Default Starter v1.0.0

Startup Security Templates & Playbooks

Introduction

Nice words don’t catch leaks.

At 2 a.m., when you’re duct-taping a pipeline and praying tomorrow’s demo doesn’t implode, no compliance framework is there to save you. Startups don’t run on words — they run on commits. And commits need proof.

That’s why we built Secure-by-Default Starter v1.0.0, an open-source GitHub template that makes security show up in your repo, not in a PowerPoint.

This isn’t just a starter repo. It’s the first brick in our Mergeable Trust framework — proof that security belongs in the first commit, not the last audit.

Secure-by-default isn’t a feature — it’s a culture shift. This repo is the first artifact in that shift.

What’s Inside v1.0.0

  • 🔒 Pre-commit checks: secrets, hygiene, linting.
  • 🛡️ CI/CD scans: Trivy vulnerability & IaC misconfig detection.
  • 📦 SBOM generation: every build, automatically.
  • Compliance breadcrumbs: SOC2 / ISO 27001 mapped from Day 1.
  • 📚 Secure vs insecure examples: learn by contrast, not by guesswork.

Every control leaves a receipt in Git — proof you can show to investors, customers, or yourself at 2 a.m.

Why It Matters

  • For solo founders: answer the investor’s “how are you handling security?” without burning a week on vaporware decks.
  • For vCISOs: a drop-in baseline you can roll out across multiple clients without reinventing the wheel.

And for the people writing the checks:

Investors and customers don’t want security theater. They want proof you’re building responsibly. This starter repo lets you show them — without slowing down.

What Proof Looks Like

Drop these straight into the post to make it tangible:

  • Pre-commit fail (Gitleaks): 
     Gitleaks detected a secret in example/bad_secret.txt
Commit blocked. Fix required before push.

 pre-commit run gitleaks
gitleaks (staged diff)...................................................Failed
- hook id: gitleaks
- exit code: 1


    │╲


    gitleaks

Finding:     REDACTED
Secret:      REDACTED
RuleID:      slack-bot-token
Entropy:     5.076725
File:        examples/bad_secret.txt
Line:        3

Proof beats promises. Show it right there in GitHub.

How to Use It

  1. Fork it or use it as a template.
  2. Enable CI/CD checks.
  3. Run a “red PR” drill: drop in a vuln and watch the system catch it.
  4. Ship with receipts instead of promises.

Fork it. Break it. Tell us what you hate. This only works if it works for you.

Where We’re Headed

This is v1.0. Here’s where we’re headed next:

  • Supply chain attestation with Sigstore.
  • AI-native scanning for prompt/secret leaks.
  • Compliance alignment with NIST SSDF + OSPS Baseline.

If you believe secure-by-default should be the norm, not the exception, help us prove it. Add your voice, your commits, your scars.

Final Word

Nice words don’t catch leaks. Commits with proof do.

This is v1.0. Not perfect. But it’s proof. And proof is where trust begins.

👉 Secure by Default Starter
Tell us what to add. We’re building this with the community, in the open.

If this resonated, explore our Security Philosophy and see the first artifact of Mergeable Trust in action: our Secure‑by‑Default Starter.