mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:21:30 +00:00
shankar0123
e11cdda135
Closes Audit-2026-04-25 D-001..D-002 + D-006 (partial) + H-005 (partial). Opens new tracker IDs H-010, M-028, L-020, L-021 (see closure document in cowork/comprehensive-audit-2026-04-25/tool-output/_BUNDLE-7-CLOSURE.md). What changed - scripts/install-security-tools.sh (NEW) — idempotent installer for the Go-based subset (govulncheck, staticcheck, errcheck, ineffassign, gosec, osv-scanner). Used locally + by both CI workflows. - .github/workflows/security-deep-scan.yml (NEW) — daily + workflow_dispatch scans for tools that need docker/network: trivy image, syft SBOM, ZAP baseline, schemathesis, nuclei, testssl.sh, gosec, osv-scanner, full-suite race detector at -count=10. Every step continue-on-error; artefacts uploaded for triage. - .github/workflows/ci.yml — staticcheck added as a soft (continue-on-error) gate alongside the existing govulncheck hard gate. Soft until M-028 closes the 6 remaining SA1019 deprecated-API sites; flip to fail-on- non-zero then. Per-package coverage gates extended: pkcs7 hard ≥85% (currently 100%), local-issuer soft ≥65% transitional floor (H-010 raises to 85%). - staticcheck.conf (NEW) — suppresses 4 style-only rules (ST1005, ST1000, ST1003, S1009, S1011, SA9003) with documented justifications. Real defects (SA1019) NOT suppressed. - .govulnignore (NEW) — empty placeholder with the suppression contract (one OSV ID + justification + review-by date per line). Bundle-7's 5 deferred-call advisories don't need entries because govulncheck's default exit code already passes. Local tool-run evidence (cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/): - govulncheck.txt + govulncheck-verbose.txt — clean (0 affected; 5 deferred-call) - staticcheck.txt + staticcheck-after-suppressions.txt — 6 SA1019 → M-028 - errcheck.txt — 1294 sites, all defer-Close / response-write convention → triaged - ineffassign.txt — 15 unique sites → L-020 - helm-lint.txt — clean (1 INFO-level icon recommendation) - go-test-race.txt — clean across scheduler/middleware/mcp at -count=3 (CI runs -count=10 against the full suite) - go-test-cover.txt — crypto 86.7% ✓, pkcs7 100% ✓, local-issuer 68.3% ✗ → H-010 Closures in this bundle - D-001 partial — 4 of 6 Go-based tools ran locally; remainder wired in CI - D-002 closed — race detector clean - D-006 partial — helm lint passes; kube-score / kubesec deferred to CI - D-007 deferred — semgrep p/react-security wired in CI (needs docker) - D-003 / D-004 / D-005 deferred — wired in security-deep-scan.yml - H-005 partial — crypto + pkcs7 meet 85%; local-issuer at 68.3% → H-010 New tracker IDs opened (next-bundle scope) - H-010 — local-issuer coverage gap (68.3% vs 85% target). 2-3 days. - M-028 — 6 deprecated-API sites (SA1019). Migration coordinated. - L-020 — ineffassign cleanup sweep, 15 mechanical sites. - L-021 — 5 transitive Go-module CVEs (deferred-call). Monitor + bump. NOT addressed in this bundle (deferred to a future Bundle 7-bis) - M-007 bulk-operation partial-failure tests - M-008 admin-gated role-gate tests - L-010 mock.Anything overuse audit - L-018 defect age analysis on remaining High findings Verification - go vet ./... → clean - go build ./... → clean - go test -short -count=1 ./... → all packages pass - go test -race -count=3 ./scheduler/middleware/mcp → clean - go test -cover ./crypto/pkcs7/local-issuer → see go-test-cover.txt - govulncheck ./... → clean - staticcheck ./... → 6 SA1019 (tracked as M-028) - helm lint → clean - yaml lint .github/workflows/*.yml → clean - python3 yaml.safe_load(api/openapi.yaml) → 89 paths Bundle 7 of the 2026-04-25 comprehensive audit. Tool-output evidence preserved at cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/.
58 lines
1.9 KiB
Bash
Executable File
58 lines
1.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Bundle-7 / Audit D-001:
|
|
# Idempotent installer for the §12 mandatory tool suite. Used locally
|
|
# during a Bundle-7-style run and by the CI workflows
|
|
# (.github/workflows/ci.yml + .github/workflows/security-deep-scan.yml).
|
|
#
|
|
# Tools installed via go install (host-Go, no docker required):
|
|
# govulncheck Go module CVE scan
|
|
# staticcheck Go static-analysis (additive to vet)
|
|
# errcheck unchecked-error finder
|
|
# ineffassign dead-assignment finder
|
|
# gosec Go security static-analysis (best-effort; large download)
|
|
# osv-scanner multi-ecosystem CVE scan
|
|
#
|
|
# Tools NOT installed by this script (containerized in CI workflows):
|
|
# semgrep, hadolint, trivy, syft, checkov, kube-score,
|
|
# schemathesis, OWASP ZAP, nuclei, testssl.sh
|
|
#
|
|
# Usage:
|
|
# bash scripts/install-security-tools.sh # default GOBIN
|
|
# GOBIN=/tmp/gobin bash scripts/install-security-tools.sh
|
|
#
|
|
# Exit codes:
|
|
# 0 every tool installed
|
|
# 1 one or more installs failed (script continues but reports at end)
|
|
|
|
set -uo pipefail
|
|
|
|
if ! command -v go >/dev/null 2>&1; then
|
|
echo "ERROR: go toolchain not on PATH" >&2
|
|
exit 1
|
|
fi
|
|
|
|
FAIL=0
|
|
install_tool() {
|
|
local pkg="$1"
|
|
local name
|
|
name="$(basename "${pkg%@*}")"
|
|
echo "=> install $name ($pkg)"
|
|
if ! go install "$pkg" 2>&1; then
|
|
echo "WARN: failed to install $name" >&2
|
|
FAIL=$((FAIL + 1))
|
|
fi
|
|
}
|
|
|
|
install_tool golang.org/x/vuln/cmd/govulncheck@latest
|
|
install_tool honnef.co/go/tools/cmd/staticcheck@latest
|
|
install_tool github.com/kisielk/errcheck@latest
|
|
install_tool github.com/gordonklaus/ineffassign@latest
|
|
install_tool github.com/securego/gosec/v2/cmd/gosec@latest
|
|
install_tool github.com/google/osv-scanner/cmd/osv-scanner@latest
|
|
|
|
if [ "$FAIL" -ne 0 ]; then
|
|
echo "WARNING: $FAIL tool(s) failed to install — partial coverage only" >&2
|
|
exit 1
|
|
fi
|
|
echo "OK: all 6 tools installed"
|