Skip to content

ci: add dedicated ModSecurity v3 warn-only hardening build job#110

Merged
Easton97-Jens merged 1 commit into
v3/master-workflowsfrom
codex/add-separate-ci-build-for-modsecurity-v3
May 15, 2026
Merged

ci: add dedicated ModSecurity v3 warn-only hardening build job#110
Easton97-Jens merged 1 commit into
v3/master-workflowsfrom
codex/add-separate-ci-build-for-modsecurity-v3

Conversation

@Easton97-Jens
Copy link
Copy Markdown
Owner

@Easton97-Jens Easton97-Jens commented May 15, 2026

Motivation

  • Add a separate CI job that builds ModSecurity v3 alongside existing nginx/OpenResty builds so the library can be validated independently.
  • Ensure the same hardening/optimization logic is used as for existing builds while making all compiler warnings visible for ModSecurity.
  • Provide an opt-out/override for any global -Werror/-Werror=format-security so warnings are shown without turning failures into noisy cut-offs.

Description

  • Added a new job build-modsecurity-v3 to .github/workflows/ci_new.yml that runs on ubuntu-24.04 and does not replace existing matrix jobs.
  • The job defines and uses the variables COMMON_CC_OPT, COMMON_LD_OPT, PIC_CC_OPT, MODSECURITY_CC_OPT, MODSECURITY_CXX_OPT, and MODSECURITY_LD_OPT and explicitly enables -Wall -Wextra -Wformat -Wformat-security for ModSecurity.
  • The job implements MODSECURITY_WARN_ONLY=1 and strips any -Werror / -Werror=format-security from the ModSecurity warning flags when set so warnings remain visible but real compile/link errors still fail the job.
  • C/C++/preprocessor/linker flags are exported separately as CFLAGS, CXXFLAGS, CPPFLAGS, and LDFLAGS, include -fPIC, and enable linker hardening with -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed -Wl,--gc-sections; the job avoids adding LuaJIT rpath or nginx/OpenResty-specific flags.
  • The job prints the compiler version, linker version, CFLAGS, CXXFLAGS, CPPFLAGS, LDFLAGS and configure options to the CI log before running ./configure and builds with verbose output via make -j "$(nproc)" V=1.

Testing

  • Validated the new workflow file parses as YAML using ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci_new.yml")', which completed successfully.
  • The new job was added to .github/workflows/ci_new.yml and the file was checked locally for syntactic correctness (YAML load succeeded).

Codex Task

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Easton97-Jens Easton97-Jens merged commit 2888e4e into v3/master-workflows May 15, 2026
49 of 195 checks passed
@Easton97-Jens Easton97-Jens deleted the codex/add-separate-ci-build-for-modsecurity-v3 branch May 15, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Easton97-Jens