The LibreHealth EHR Security Assessment Infrastructure project aims to create an automated CVSS scoring system integrated with GitLab CI/CD to continuously evaluate and monitor security vulnerabilities across critical Meaningful Use (MU) certification workflows. This infrastructure will provide systematic security assessment, enabling early detection and mitigation of potential vulnerabilities.
The project focuses on implementing comprehensive integration testing for key clinical workflows while incorporating CVSS scoring to quantify potential security risks. This automated approach will ensure consistent security evaluation with each code change or release, maintaining a robust security posture for the EHR system.
The deliverables of the project are as follows:
Develop automated integration tests covering the specified MU workflows
Create a CVSS scoring framework that evaluates security aspects of each workflow
Implement GitLab CI/CD pipeline integration for automated security assessment
Generate comprehensive security reports with detailed CVSS metrics
Provide documentation for maintaining and extending the security assessment infrastructure
Create remediation guidelines for common vulnerability patterns
CVSS Scoring Implementation:
Implement automated scanning for common vulnerability patterns
Create custom scoring rules for healthcare-specific security concerns
Generate CVSS v3.1 scores for identified vulnerabilities
Track security metrics over time
Provide trend analysis for security posture
CI/CD Integration:
Configure GitLab CI/CD pipelines for automated testing
Implement security gates based on CVSS scores
Create notification systems for security issues
Generate security reports for each build/release
Archive security metrics for trend analysis
Preliminary tasks:
Map all target workflows and their components
Create initial integration test framework
Implement basic CVSS scoring for a sample workflow
Set up GitLab CI/CD pipeline structure
A developer working on this project needs to have skills in:
PHP and JavaScript testing frameworks
Security testing and vulnerability assessment
CVSS scoring methodology and implementation
GitLab CI/CD configuration and pipeline development
Are there existing integration tests or security scanners already in use within LibreHealth EHR that this project will extend?
Which MU workflows should be prioritized first (e.g., patient registration, prescription management, lab results, billing)?
Is there a preferred vulnerability scanning tool (e.g., OWASP ZAP, PHPStan security rules, custom static analysis, etc.), or is tool selection part of the project scope?
Would the CVSS scoring engine be fully custom-built, or should it integrate with existing vulnerability databases (like NVD feeds)?
Hi @kishansinghifs1 please review the code here - LibreHealth / LibreHealth EHR / LibreHealth EHR Laravel · GitLab, and we want you to answer some of your questions in the proposal. There aren’t any security tests or integration tests in there at the moment. You should propose the main MU workflows that are present in the Laravel port. Please propose which vulnerability scanning tool you think is appropriate. Similarly, propose some CVSS scoring libraries (if external) or, if you want to build a custom one, justify why any of the existing ones aren’t good enough.
I’ve explored the LibreHealth EHR Laravel codebase and here are my initial observations:
The test suite currently has only the default scaffolding (ExampleTest.php in both Feature/ and Unit/), so there’s a clean slate for building the security test infrastructure.
The CI pipeline (run-tests.yml in GitHub Actions) runs basic tests — I can extend this to add security scanning stages.
I’ve identified the key models that map to MU workflows — Patients/, Encounter, Prescription, Immunization, Insurance/, Forms/, AuditMaster/AuditDetail — which gives me a clear starting point for mapping workflows to test coverage.
My preliminary approach would be:
Map MU workflows to controllers/models, starting with Patient Registration and Encounter management. Write integration tests covering authentication, authorization, input validation, and PHI data handling for these flows.
Integrate static analysis (PHPStan with security rules + composer audit) and dynamic scanning (OWASP ZAP against test endpoints) into the CI pipeline.
Build the CVSS v3.1 scoring engine that maps scan findings + test results to CVSS vectors, with custom rules for healthcare-specific concerns (e.g., PHI exposure, missing audit trails, broken access controls).
Dashboard/reporting with trend analysis, security gates, and remediation guidelines.
For the preliminary tasks, I’d like to start contributing right away. Could you point me to:
Any specific branch I should work off of?
Guidelines for submitting PRs (I see the CONTRIBUTING.md but want to confirm the workflow)?
Happy to get know more from you and that would be really helpful to me!
I’m Anushka Dudhe, a first-year B.Tech CSE (AI/ML) student, and I’m excited to start contributing to LibreHealth EHR. I’m particularly interested in understanding how large-scale healthcare systems are built and maintained through open-source collaboration.
I’m exploring LibreHealth EHR as an open-source contributor and as a prospective participant in Google Summer of Code 2026, and I wanted to get involved early by contributing meaningfully and learning the project’s architecture, workflows, and development practices. Over the past few days, I’ve been setting up the project locally and reviewing the repository, documentation, and open issues to build context around the codebase.
My current focus is on starting with well-scoped contributions - such as setup improvements, documentation, issue investigation, or initial test coverage - so I can align with existing patterns and gradually take on more complex tasks as I gain deeper understanding. I value clear communication, code quality, and constructive feedback, and I’m looking forward to collaborating with the community and learning from experienced contributors.
Thanks for maintaining such an impactful project and for supporting new contributors. I’m excited to contribute and grow with the LH-EHR community.
Hi! @sunbiz@muarachmann I’ve prepared a proposal after going through the codebase. I’d love to share it and discuss a few sections. Should I post it here, or would it be better to send it via email?
Also , regarding the preliminary tasks @sunbiz@muarachmann , could you please guide me on the best way to demonstrate my implementation? Should I open a PR/merge request, or is there another preferred way to share the work?
Hi @muarachmann@sunbiz and @r0bby — I’ve been working through the architecture for the project and wanted to share my thinking visually before finalizing the proposal.
The attached diagram maps out my planned four-layer pipeline: static analysis (PHPStan L5+L8 + Enlightn + composer audit) → dynamic scanning (OWASP ZAP in three phases: seeded auth session → spider all pages → active scan) → CVSS v3.1 scoring engine (findings → vector → PHI-tier multiplier → base score) → security gate (pass = merge allowed, fail = merge blocked) → report generated.
A few design decisions I’d love your feedback on:
PHPStan dual-level (L5 + L8) — L5 as a baseline across all controllers/models, L8 only on PHI-handling controllers to avoid false positive overload. Does this feel right, or would you prefer a single level?
PHI-tier multipliers — I’m classifying models into PHI_CRITICAL / PHI_MODERATE / NON_PHI and adjusting CVSS Confidentiality Impact accordingly, since not all data carries equal risk (e.g., insurance policy numbers vs. category labels). Open to feedback on the tier boundaries.
ZAP phase structure — planning seeded-auth session first so ZAP scans authenticated endpoints. Any specific MU workflow endpoints you want prioritized in the active scan policy?
Happy to walk through any part of this in more detail!
my current structure (Overview, Architecture, Deliverables, Tech Stack, Timeline) covers the core requirements.also can I submit this proposal on gsoc website.
@r0bby I had one doubt too , everyone is adding about me section or introduction section in the proposals. Is it actually necessary does it helps mentors in real to understand the applicant better and should I add it too ?
