gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: supply-chain hardening (Phase 1 closure — RED-1, RED-2, TEST-L2)

Browse Source 
Three findings from the certctl architecture diligence audit's Phase 1
bundle (Supply-Chain Hardening) closed together in one PR since they all
touch .github/workflows/ + repo root.

RED-1 — delete tracked precompiled binary
  - deploy/test/f5-mock-icontrol/f5-mock-icontrol (8.6 MB ARM64 ELF) was
    tracked alongside the Go source that builds it. The fixture's
    Dockerfile already uses a multi-stage build that re-runs
    'go build' inside the container (line 13), so the tracked binary
    was vestigial — never actually consumed by the test wiring.
  - git rm'd. Path added to .gitignore so it doesn't re-land.
  - No Makefile target needed; the Dockerfile is the rebuild path.

RED-2 — SHA-pin every GitHub Action
  - Pre: 37 of 41 'uses:' lines were tag-pinned (@v4 etc); only
    4 were SHA-pinned (sigstore/cosign-installer + anchore/sbom-action).
  - Post: 0 / 41. Every 'uses:' line is now '@<40-char-sha>  # vN'
    (the trailing comment preserves the human-readable version for
    operator audit). SHA-pinning closes the standard supply-chain
    attack vector against GitHub Actions consumers.
  - SHAs resolved live via the GitHub API; spot-checked one.

TEST-L2 — npm audit hard gate
  - Added 'npm audit --omit=dev --audit-level=high' step to the
    Frontend Build job in ci.yml. --omit=dev excludes vitest/vite/
    eslint/etc which don't ship to operators.
  - Local run today: 0 vulnerabilities; gate enters with no triage
    backlog. Catches future regressions.

New CI guards (regression-prevention):
  - scripts/ci-guards/no-tag-pinned-actions.sh — fails the build if
    a future PR adds 'uses: foo/bar@v2' instead of SHA-pinning.
  - scripts/ci-guards/no-precompiled-binary.sh — runs file(1) over
    git ls-files output; fails on any tracked ELF/Mach-O/PE.
  - Both pass locally. CI's existing loop over scripts/ci-guards/*.sh
    picks them up automatically.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-1,
        cowork/certctl-architecture-diligence-audit.html#fix-RED-2,
        cowork/certctl-architecture-diligence-audit.html#fix-TEST-L2
This commit is contained in:
shankar0123
2026-05-13 19:30:53 +00:00
parent de8fac24a3
commit 95cb002905
9 changed files with 160 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+23 -12
View File
@@ -14,10 +14,10 @@ jobs:
name: Go Build & Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.25.10'
@@ -120,7 +120,7 @@ jobs:
run: bash scripts/check-coverage-thresholds.sh
- name: Upload Coverage Report
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: go-coverage
path: coverage.out
@@ -188,7 +188,7 @@ jobs:
runs-on: ubuntu-latest
needs: go-build-and-test
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Show Docker versions
run: |
@@ -328,10 +328,10 @@ jobs:
name: Frontend Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
@@ -339,6 +339,17 @@ jobs:
working-directory: web
run: npm ci
- name: npm audit (production deps, high+critical)
# Phase 1 TEST-L2 closure (2026-05-13):
# Production frontend dependencies must not carry high or
# critical CVEs. Dev-only deps (vitest, vite, eslint, etc.)
# are excluded via --omit=dev since they never ship to
# operators. If this gate fires, triage each finding via npm
# overrides, dep upgrade, or a tracked --ignore with an issue
# link. Do not mass-silence findings.
working-directory: web
run: npm audit --omit=dev --audit-level=high
- name: TypeScript Check
working-directory: web
run: npx tsc --noEmit
@@ -374,10 +385,10 @@ jobs:
name: Helm Chart Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Install Helm
uses: azure/setup-helm@v4
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
with:
version: '3.13.0'
@@ -527,10 +538,10 @@ jobs:
needs: [go-build-and-test]
timeout-minutes: 30
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.25.10'
cache: true
@@ -624,10 +635,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.25.10'
cache: true
.github/workflows/codeql.yml
+5 -5
View File
@@ -53,17 +53,17 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Go
if: matrix.language == 'go'
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
# Match ci.yml + release.yml + security-deep-scan.yml.
go-version: '1.25.10'
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
with:
languages: ${{ matrix.language }}
# Use the security-and-quality query suite — security finds plus
@@ -72,10 +72,10 @@ jobs:
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
with:
category: "/language:${{ matrix.language }}"
# SARIF upload is implicit (and is what populates the Security tab).
.github/workflows/loadtest.yml
+3 -3
View File
@@ -49,13 +49,13 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Docker Buildx
# The compose stack builds the certctl image from the repo
# root Dockerfile. Buildx gives the build a usable cache and
# works with newer compose versions.
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Run loadtest
run: make loadtest
@@ -70,7 +70,7 @@ jobs:
# authoritative machine-readable form; summary.txt is the
# human-readable text the README baseline tracks.
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: k6-summary-${{ github.run_id }}
path: deploy/test/loadtest/results/
.github/workflows/release.yml
+13 -13
View File
@@ -39,10 +39,10 @@ jobs:
os: [linux, darwin]
arch: [amd64, arm64]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: ${{ env.GO_VERSION }}
@@ -123,7 +123,7 @@ jobs:
cat "${OUTPUT_NAME}.sha256"
- name: Upload build artefacts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: binary-${{ steps.build.outputs.output_name }}
path: |
@@ -151,7 +151,7 @@ jobs:
hashes: ${{ steps.hashes.outputs.hashes }}
steps:
- name: Download binary artefacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
pattern: binary-*
path: artifacts
@@ -191,7 +191,7 @@ jobs:
checksums.txt
- name: Upload artefacts to GitHub Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
@@ -212,7 +212,7 @@ jobs:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
with:
base64-subjects: "${{ needs.aggregate-checksums.outputs.hashes }}"
upload-assets: true
@@ -235,10 +235,10 @@ jobs:
id-token: write # Cosign keyless OIDC identity token
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
@@ -249,14 +249,14 @@ jobs:
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Install Cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Build and push server image
id: server-push
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: ./Dockerfile
@@ -291,7 +291,7 @@ jobs:
- name: Build and push agent image
id: agent-push
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
file: ./Dockerfile.agent
@@ -334,7 +334,7 @@ jobs:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Extract version from tag
id: version
@@ -351,7 +351,7 @@ jobs:
# README is the source of truth for those, and inlining them in every
# release page produces the kind of "every release looks identical"
# noise that gives operators no signal about what actually changed.
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
with:
# Pin the release title to the tag name. softprops/action-gh-release@v2
# falls back to the most recent commit subject when `name:` is omitted,
.github/workflows/security-deep-scan.yml
+4 -4
View File
@@ -36,9 +36,9 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-go@v5
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.25'
@@ -126,7 +126,7 @@ jobs:
continue-on-error: true
- name: ZAP baseline
uses: zaproxy/action-baseline@v0.10.0
uses: zaproxy/action-baseline@1e1871e84428617b969d4a1f981a8255630d54b0 # v0.10.0
with:
target: 'https://localhost:8443'
continue-on-error: true
@@ -175,7 +175,7 @@ jobs:
# --- Upload everything as artefacts ---
- name: Upload deep-scan receipts
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: always()
with:
name: security-deep-scan-${{ github.run_id }}