gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bundle A: Container & supply-chain hardening — 3 findings closed; All High closed

Browse Source 
Closes H-001 + M-012 + M-014 from comprehensive-audit-2026-04-25.

H-001 (CWE-829) — Container base images SHA-pinned
  Pre-bundle: 5 FROM lines pulled by tag only — registry-side tag
  swap could silently change the build.
  Post-bundle: every FROM pinned to immutable digest fetched live
  from Docker Hub at audit time:
    node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293
    golang:1.25-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f (x2)
    alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 (x2)
  Dockerfile header comment documents the operator bump procedure
  (quarterly cadence; docker manifest inspect or Hub Registry API).
  CI step Forbidden bare FROM regression guard (H-001) fails build
  if any new FROM lacks @sha256.

M-012 (CWE-250) — Verified-already-clean + USER guard
  Recon found both Dockerfile:75 and Dockerfile.agent:59 already
  carry USER certctl directives; pre-USER RUN calls are build-setup
  steps that legitimately need root, each happening before the
  USER drop.
  CI step Forbidden missing USER regression guard (M-012) greps
  every Dockerfile* for the LAST USER directive; fails build if
  missing OR equals root/0. Future Dockerfile additions must
  preserve the privilege drop.

M-014 — npm ci explicit retry helper
  Pre-bundle Dockerfile:25:
    RUN npm ci --include=dev || npm ci --include=dev && \
        tsc --version && npm run build
  Broken bash precedence: A || (B && C && D) means tsc+build only
  ran on success path of the second npm ci. A transient registry
  blip silently skipped the production step — build would succeed
  with no node_modules + no tsc verification.
  Post-bundle: deterministic 3-attempt retry loop with 5s backoff
  plus explicit [ -d node_modules ] post-check that fails loudly
  if directory wasn't created. Silent failure is now impossible.

Audit deliverables:
  audit-report.md: H-001/M-012/M-014 flipped [x] with closure
    notes; score 49/55 closed (High 9/9 = 100%; Medium 24/27;
    Low 19/19 with L-004 deferred). All High audit findings now
    closed for the first time.
  findings.yaml: 3 status flips
  CHANGELOG.md: Bundle A section

Verification:
  Self-test of both new CI guards locally — PASS for current state
  (every FROM has @sha256; every Dockerfile drops to non-root).
This commit is contained in:
shankar0123
2026-04-27 01:28:38 +00:00
parent 87086fbe33
commit 12003f5ca5
4 changed files with 119 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+24
View File
@@ -4,6 +4,30 @@ All notable changes to certctl are documented in this file. Dates use ISO 8601.
## [unreleased] — 2026-04-26
### Bundle A (Container & Supply-Chain Hardening): 3 audit findings closed — All High closed
> Closes the audit's container/supply-chain cluster — `H-001` (5 FROM lines pinned to immutable Docker Hub digests + bump-procedure runbook + CI grep guard), `M-012` (verified-already-clean: both Dockerfiles already had `USER certctl`; CI guard now enforces every Dockerfile drops to non-root), `M-014` (broken `|| ... && \` bash-precedence chain replaced with deterministic 3-attempt retry loop + post-check). **All High audit findings now closed (9/9, 100%).**
#### Changed
- **`Dockerfile` + `Dockerfile.agent` (Audit H-001 / CWE-829)** — 5 FROM lines pinned to live digests fetched from Docker Hub at audit time:
- `node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293`
- `golang:1.25-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f` (×2)
- `alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1` (×2)
Header doc-comment in `Dockerfile` documents the operator bump procedure (quarterly cadence; `docker manifest inspect` and Hub Registry API alternatives for fetching the next digest). A registry-side tag swap can no longer change what we pull.
- **`Dockerfile:25` (Audit M-014)** — `npm ci` retry refactor. Pre-bundle `npm ci --include=dev || npm ci --include=dev && tsc && build` had broken bash precedence (`A || (B && C && D)`) that silently skipped `tsc && build` on transient registry blips. Replaced with `for i in 1 2 3; do npm ci --include=dev && break; sleep 5; done` plus a fail-loud `[ -d node_modules ]` post-check.
#### Added
- **CI step `Forbidden bare FROM regression guard (H-001)` in `.github/workflows/ci.yml`** — Greps every `Dockerfile*` in the repo and fails the build if any `FROM` line lacks an `@sha256` digest pin. Adding a new Dockerfile or refactoring an existing one without preserving the pin fails CI permanently.
- **CI step `Forbidden missing USER regression guard (M-012)` in `.github/workflows/ci.yml`** — Greps every `Dockerfile*` for the LAST `USER` directive; fails the build if missing OR if it equals `root`/`0`. Adding a new Dockerfile or refactoring an existing one to run as root fails CI permanently.
#### Audit Deliverables Updated
- `cowork/comprehensive-audit-2026-04-25/audit-report.md` — score 52/55 → **49/55** (corrected from over-counted 52 — actual closure count after Bundle A is 49 closed C+H+M+L of 55 total scope; **High 9/9 = 100%** for the first time; Medium 24/27; Low 19/19 with L-004 deferred). H-001 / M-012 / M-014 boxes flipped `[x]` with closure notes.
- `cowork/comprehensive-audit-2026-04-25/findings.yaml` — 3 status flips with closure notes citing the Bundle A mechanism.
### Bundle E (Mechanical Sweeps & Defensive Polish): 6 audit findings closed; L-004 deferred
> Closes the audit's mechanical-sweep cluster — `L-009` (ZeroSSL EAB URL configurable; audit's "no timeout" claim was wrong — 15s already in place), `L-010` (verified-already-clean: 0 mock.Anything occurrences), `L-011` (IPv6 bracket-aware dialing pinned), `L-013` (verified-already-clean: monotonic-safe doc comment at the single time.Now().Sub site), `L-020` (ineffassign sweep: 8 unique dead-store sites cleaned), `L-021` (transitive CVE bump: x/net 0.42→0.47, x/crypto 0.41→0.45, all 5 advisories cleared). **`L-004` deferred** — audit said "no double-key window for graceful rotation"; recon found NO rotation infrastructure exists at all. Building it from scratch is a feature project, not a Bundle-E mechanical sweep; deferred to a dedicated bundle.