mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 21:21:40 +00:00
Shankar
b566355d6f
Closes Audit-2026-04-25 D-001..D-002 + D-006 (partial) + H-005 (partial). Opens new tracker IDs H-010, M-028, L-020, L-021 (see closure document in cowork/comprehensive-audit-2026-04-25/tool-output/_BUNDLE-7-CLOSURE.md). What changed - scripts/install-security-tools.sh (NEW) — idempotent installer for the Go-based subset (govulncheck, staticcheck, errcheck, ineffassign, gosec, osv-scanner). Used locally + by both CI workflows. - .github/workflows/security-deep-scan.yml (NEW) — daily + workflow_dispatch scans for tools that need docker/network: trivy image, syft SBOM, ZAP baseline, schemathesis, nuclei, testssl.sh, gosec, osv-scanner, full-suite race detector at -count=10. Every step continue-on-error; artefacts uploaded for triage. - .github/workflows/ci.yml — staticcheck added as a soft (continue-on-error) gate alongside the existing govulncheck hard gate. Soft until M-028 closes the 6 remaining SA1019 deprecated-API sites; flip to fail-on- non-zero then. Per-package coverage gates extended: pkcs7 hard ≥85% (currently 100%), local-issuer soft ≥65% transitional floor (H-010 raises to 85%). - staticcheck.conf (NEW) — suppresses 4 style-only rules (ST1005, ST1000, ST1003, S1009, S1011, SA9003) with documented justifications. Real defects (SA1019) NOT suppressed. - .govulnignore (NEW) — empty placeholder with the suppression contract (one OSV ID + justification + review-by date per line). Bundle-7's 5 deferred-call advisories don't need entries because govulncheck's default exit code already passes. Local tool-run evidence (cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/): - govulncheck.txt + govulncheck-verbose.txt — clean (0 affected; 5 deferred-call) - staticcheck.txt + staticcheck-after-suppressions.txt — 6 SA1019 → M-028 - errcheck.txt — 1294 sites, all defer-Close / response-write convention → triaged - ineffassign.txt — 15 unique sites → L-020 - helm-lint.txt — clean (1 INFO-level icon recommendation) - go-test-race.txt — clean across scheduler/middleware/mcp at -count=3 (CI runs -count=10 against the full suite) - go-test-cover.txt — crypto 86.7% ✓, pkcs7 100% ✓, local-issuer 68.3% ✗ → H-010 Closures in this bundle - D-001 partial — 4 of 6 Go-based tools ran locally; remainder wired in CI - D-002 closed — race detector clean - D-006 partial — helm lint passes; kube-score / kubesec deferred to CI - D-007 deferred — semgrep p/react-security wired in CI (needs docker) - D-003 / D-004 / D-005 deferred — wired in security-deep-scan.yml - H-005 partial — crypto + pkcs7 meet 85%; local-issuer at 68.3% → H-010 New tracker IDs opened (next-bundle scope) - H-010 — local-issuer coverage gap (68.3% vs 85% target). 2-3 days. - M-028 — 6 deprecated-API sites (SA1019). Migration coordinated. - L-020 — ineffassign cleanup sweep, 15 mechanical sites. - L-021 — 5 transitive Go-module CVEs (deferred-call). Monitor + bump. NOT addressed in this bundle (deferred to a future Bundle 7-bis) - M-007 bulk-operation partial-failure tests - M-008 admin-gated role-gate tests - L-010 mock.Anything overuse audit - L-018 defect age analysis on remaining High findings Verification - go vet ./... → clean - go build ./... → clean - go test -short -count=1 ./... → all packages pass - go test -race -count=3 ./scheduler/middleware/mcp → clean - go test -cover ./crypto/pkcs7/local-issuer → see go-test-cover.txt - govulncheck ./... → clean - staticcheck ./... → 6 SA1019 (tracked as M-028) - helm lint → clean - yaml lint .github/workflows/*.yml → clean - python3 yaml.safe_load(api/openapi.yaml) → 89 paths Bundle 7 of the 2026-04-25 comprehensive audit. Tool-output evidence preserved at cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/.
150 lines
4.7 KiB
YAML
150 lines
4.7 KiB
YAML
name: security-deep-scan
|
|
|
|
# Bundle-7 / Audit D-001..D-007:
|
|
# Slow / containerized scans on a daily schedule + manual dispatch.
|
|
# Per-PR fast gates live in ci.yml; this workflow runs the heavyweight
|
|
# tools that need docker, network egress to scanner registries, or
|
|
# longer wall-clock budgets than a per-PR check tolerates.
|
|
#
|
|
# Scope:
|
|
# trivy image container CVE + secret scan
|
|
# syft SBOM CycloneDX SBOM artefact upload
|
|
# ZAP baseline DAST baseline against a live deploy_test stack
|
|
# nuclei template-based vuln scan against the same stack
|
|
# schemathesis OpenAPI fuzz against the running server
|
|
# testssl.sh TLS configuration audit
|
|
# race detector x10 full -count=10 race run on the entire test suite
|
|
# gosec Go security static analysis (slow first run)
|
|
#
|
|
# Each step is best-effort — failures are uploaded as artefacts but do
|
|
# NOT block the workflow. Triage happens via the Bundle-7 receipt
|
|
# directory under cowork/comprehensive-audit-2026-04-25/tool-output/.
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * *' # daily 06:00 UTC
|
|
workflow_dispatch: {}
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write # SARIF upload to GitHub code scanning
|
|
|
|
jobs:
|
|
deep-scan:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: '1.25'
|
|
|
|
- name: Install Go-based tools
|
|
run: bash scripts/install-security-tools.sh
|
|
continue-on-error: true
|
|
|
|
# --- Static analysis (slow paths) ---
|
|
|
|
- name: gosec
|
|
run: |
|
|
$(go env GOPATH)/bin/gosec -fmt sarif -out gosec.sarif ./... || true
|
|
continue-on-error: true
|
|
|
|
- name: osv-scanner (multi-ecosystem CVE)
|
|
run: |
|
|
$(go env GOPATH)/bin/osv-scanner -r --format json --output osv-scanner.json . || true
|
|
continue-on-error: true
|
|
|
|
# --- Race detector at -count=10 (D-002) ---
|
|
|
|
- name: go test -race -count=10 (full suite)
|
|
run: |
|
|
go test -race -count=10 -short ./... 2>&1 | tee go-test-race.txt
|
|
continue-on-error: true
|
|
|
|
# --- Coverage receipts for crypto cluster (H-005) ---
|
|
|
|
- name: go test -cover (crypto cluster)
|
|
run: |
|
|
go test -cover -covermode=atomic \
|
|
./internal/crypto/... \
|
|
./internal/pkcs7/... \
|
|
./internal/connector/issuer/local/... \
|
|
2>&1 | tee go-test-cover.txt
|
|
|
|
# --- Container + supply chain (D-001 partial, D-006 partial) ---
|
|
|
|
- name: Build certctl image
|
|
run: docker build -t certctl:deep-scan .
|
|
continue-on-error: true
|
|
|
|
- name: trivy image scan
|
|
run: |
|
|
docker run --rm -v "$PWD":/src aquasec/trivy:latest image \
|
|
--format json --output /src/trivy.json certctl:deep-scan || true
|
|
continue-on-error: true
|
|
|
|
- name: syft SBOM
|
|
run: |
|
|
docker run --rm -v "$PWD":/src anchore/syft:latest dir:/src \
|
|
-o cyclonedx-json > syft.cyclonedx.json || true
|
|
continue-on-error: true
|
|
|
|
# --- DAST against a live stack (D-004) ---
|
|
|
|
- name: docker compose up (test stack)
|
|
run: |
|
|
docker compose -f deploy/docker-compose.yml up -d
|
|
sleep 20
|
|
continue-on-error: true
|
|
|
|
- name: ZAP baseline
|
|
uses: zaproxy/action-baseline@v0.10.0
|
|
with:
|
|
target: 'https://localhost:8443'
|
|
continue-on-error: true
|
|
|
|
- name: schemathesis (OpenAPI fuzz)
|
|
run: |
|
|
pip install schemathesis
|
|
schemathesis run --base-url https://localhost:8443 \
|
|
--hypothesis-max-examples=50 api/openapi.yaml || true
|
|
continue-on-error: true
|
|
|
|
- name: nuclei
|
|
run: |
|
|
docker run --rm --network host projectdiscovery/nuclei:latest \
|
|
-u https://localhost:8443 -j -o nuclei.json || true
|
|
continue-on-error: true
|
|
|
|
# --- TLS audit (D-005) ---
|
|
|
|
- name: testssl.sh
|
|
run: |
|
|
docker run --rm -v "$PWD":/data drwetter/testssl.sh:latest \
|
|
--jsonfile /data/testssl.json https://localhost:8443 || true
|
|
continue-on-error: true
|
|
|
|
- name: docker compose down
|
|
run: docker compose -f deploy/docker-compose.yml down || true
|
|
if: always()
|
|
|
|
# --- Upload everything as artefacts ---
|
|
|
|
- name: Upload deep-scan receipts
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: security-deep-scan-${{ github.run_id }}
|
|
path: |
|
|
gosec.sarif
|
|
osv-scanner.json
|
|
go-test-race.txt
|
|
go-test-cover.txt
|
|
trivy.json
|
|
syft.cyclonedx.json
|
|
nuclei.json
|
|
testssl.json
|
|
retention-days: 30
|