gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ae481190e26f4332b02f482de7f7ad428368459
certctl/.github
T
History
Shankar 6ae481190e Bundle F: Compliance tail + CI gate hardening — 2 findings closed; audit closure complete 
Closes M-023 + M-024 from comprehensive-audit-2026-04-25. Final
audit-bundle commit. Score 51/55 closed (93%); High 9/9 (100%);
Medium 26/27 (96%); Low 19/19 (100%); Deferred 4/7.

M-023 (PCI-DSS Req 4 §2.2.5) — Legacy EST/SCEP reverse-proxy runbook
  docs/legacy-est-scep.md (NEW): operator runbook for embedded
  EST/SCEP clients that only speak TLS 1.2 against a TLS-1.3-pinned
  certctl listener. Sections:
    - 3-condition gate for when this runbook applies
    - Architecture diagram (legacy client -> proxy TLS 1.2 -> certctl TLS 1.3)
    - Full nginx config with ssl_protocols TLSv1.2 TLSv1.3 + ECDHE
      AEAD-only ciphers + mTLS optional verification + proxy_ssl_protocols
      TLSv1.3 on the backend hop
    - HAProxy alternative config with ssl-min-ver TLSv1.2 frontend +
      ssl-min-ver TLSv1.3 backend
    - certctl-side env vars: CERTCTL_EST_PROXY_TRUSTED_SOURCES (CIDR
      allowlist of trusted proxies) + CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER
      (toggle header-as-identity). Dual-knob design forces operators
      to think about header spoofing.
    - PCI-DSS Req 4 v4.0 §2.2.5 attestation language
    - Forward-look on TLS 1.2 deprecation watch
  certctl listener stays pinned at TLS 1.3 minimum (cmd/server/tls.go:131);
  the proxy-to-certctl hop is also TLS 1.3.

M-024 (NIST SSDF PW.7.2) — govulncheck hard gate
  .github/workflows/ci.yml: 'Run govulncheck' step renamed to
  'Run govulncheck (M-024 hard gate)' with updated comment block
  documenting why no carve-out is needed.
  Bundle E's transitive bumps (x/net 0.42->0.47, x/crypto 0.41->0.45)
  cleared the 5 L-021 deferred-call advisories that the original
  Bundle F prompt designed an exception list for. Plain
  'govulncheck ./...' is now the right gate; default exit-code
  semantics fail on any future called-vuln advisory. Deferred-call
  advisories that legitimately can't be remediated should land in
  a NIST SSDF deviation log in docs/security.md, not be silenced.

Audit endgame:
  51/55 closed (93%). Remaining open items don't require further
  bundle work:
    - M-029 frontend per-page migration backlog — closes per-PR
    - L-004 rotation infra — explicit scope-pivot defer
    - D-003 mutation testing — sandbox-blocked
    - D-004 DAST suite — wired CI-only via security-deep-scan.yml
    - D-005 testssl.sh — wired CI-only
    - D-007 frontend semgrep — wired CI-only

Audit deliverables:
  audit-report.md: score 49/55 -> 51/55 closed; M-023 + M-024
    boxes flipped [x] with closure notes.
  findings.yaml: 2 status flips
  CHANGELOG.md: Bundle F section + 'Audit endgame' summary
2026-04-27 01:43:56 +00:00
..
workflows
Bundle F: Compliance tail + CI gate hardening — 2 findings closed; audit closure complete
2026-04-27 01:43:56 +00:00