Skip to content

Commit 227aa60

Browse files
authored
Merge pull request #198 from kube-logging/renovate/all
chore(deps): update all dependencies
2 parents 92a3d5f + f1f77cc commit 227aa60

29 files changed

Lines changed: 657 additions & 488 deletions

.claude/hooks/security-bash.sh

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
#!/usr/bin/env bash
2+
# security-bash.sh - PreToolUse security hook for Bash tool
3+
set -euo pipefail
4+
5+
INPUT=$(cat)
6+
COMMAND=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // ""')
7+
8+
if [ -z "$COMMAND" ]; then exit 0; fi
9+
10+
deny() {
11+
printf '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"%s"}}' "$1"
12+
exit 0
13+
}
14+
15+
# git reset --hard - irreversible local state destruction
16+
if printf '%s' "$COMMAND" | grep -qE '(^|[|;&[:space:]])git\s+reset\s+--hard'; then
17+
deny "Blocked: git reset --hard discards changes irreversibly. Use git stash or checkout specific files instead."
18+
fi
19+
20+
# git checkout -- (overwrites working tree files)
21+
if printf '%s' "$COMMAND" | grep -qE '(^|[|;&[:space:]])git\s+checkout\s+--\s'; then
22+
deny "Blocked: git checkout -- overwrites working tree files irreversibly. Stage or stash changes first."
23+
fi
24+
25+
# git clean -f (deletes untracked files)
26+
if printf '%s' "$COMMAND" | grep -qE '(^|[|;&[:space:]])git\s+clean\s+(-[a-zA-Z]*f|.*-f)'; then
27+
deny "Blocked: git clean -f deletes untracked files permanently. Review with git status first."
28+
fi
29+
30+
# Piping network content to a shell interpreter
31+
if printf '%s' "$COMMAND" | grep -qE '(curl|wget).*(bash|sh|zsh|fish)\b|\|\s*(bash|sh|zsh|fish)\b'; then
32+
deny "Blocked: Piping network content directly to a shell interpreter is a supply chain attack vector."
33+
fi
34+
35+
# Shell -c with embedded rm -rf (obfuscation bypass)
36+
if printf '%s' "$COMMAND" | grep -qE '(bash|sh|zsh)\s+-c\s+.*rm\s+-[rRfF]'; then
37+
deny "Blocked: Shell -c invocation with embedded rm -rf detected."
38+
fi
39+
40+
# Redirect write to .env or secrets/
41+
if printf '%s' "$COMMAND" | grep -qE '>\s*(\.env|\.env\.[a-zA-Z0-9_-]+|secrets/)'; then
42+
deny "Blocked: Redirect write to .env or secrets/ directory is prohibited."
43+
fi
44+
45+
# Redirect write to credential/key files
46+
if printf '%s' "$COMMAND" | grep -qE '>\s*[^[:space:]]*(\.pem|\.key|\.pfx|\.p12|credentials|id_rsa|id_ed25519)'; then
47+
deny "Blocked: Redirect write to credential/key file detected."
48+
fi
49+
50+
exit 0

.claude/hooks/security-file.sh

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
#!/usr/bin/env bash
2+
# security-file.sh - PreToolUse security hook for Write and Edit tools
3+
set -euo pipefail
4+
5+
INPUT=$(cat)
6+
FILE_PATH=$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // ""')
7+
8+
if [ -z "$FILE_PATH" ]; then exit 0; fi
9+
10+
deny() {
11+
printf '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":"%s"}}' "$1"
12+
exit 0
13+
}
14+
15+
# .env files
16+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)\.env(\.[a-zA-Z0-9_-]+)?$'; then
17+
deny "Blocked: Writing to .env file is prohibited. Manage secrets outside the codebase."
18+
fi
19+
20+
# secrets/ directories
21+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)secrets/'; then
22+
deny "Blocked: Writing to secrets/ directory is prohibited."
23+
fi
24+
25+
# Cryptographic key/certificate extensions
26+
if printf '%s' "$FILE_PATH" | grep -qE '\.(pem|key|pfx|p12|jks|keystore)$'; then
27+
deny "Blocked: Writing to cryptographic key/certificate file is prohibited."
28+
fi
29+
30+
# Credential file name patterns
31+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)(credentials|id_rsa|id_ed25519|id_ecdsa|\.htpasswd)(\..*)?$'; then
32+
deny "Blocked: Writing to credential file is prohibited."
33+
fi
34+
35+
# Files with 'secret' or 'token' in name
36+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)[^/]*(secret|token)[^/]*$'; then
37+
deny "Blocked: Writing to file with '"'"'secret'"'"' or '"'"'token'"'"' in name is prohibited."
38+
fi
39+
40+
# .npmrc (may contain auth tokens)
41+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)\.npmrc$'; then
42+
deny "Blocked: Writing to .npmrc is prohibited (may contain registry auth tokens)."
43+
fi
44+
45+
# .git internals
46+
if printf '%s' "$FILE_PATH" | grep -qE '(^|/)\.git/(config|credentials|objects|FETCH_HEAD|packed-refs)'; then
47+
deny "Blocked: Direct writes to .git internals are prohibited. Use git commands instead."
48+
fi
49+
50+
# SQLite databases
51+
if printf '%s' "$FILE_PATH" | grep -qE '\.sqlite(3)?$'; then
52+
deny "Blocked: Direct writes to SQLite database files are prohibited."
53+
fi
54+
55+
exit 0

.claude/hooks/session-end.sh

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
#!/usr/bin/env bash
2+
# session-end.sh - Stop hook for session-end verification
3+
set -euo pipefail
4+
5+
REPO_ROOT=$(git -C "$(dirname "$0")" rev-parse --show-toplevel 2>/dev/null) || exit 0
6+
7+
# Files modified vs HEAD (unstaged + staged, deduplicated)
8+
MODIFIED=$(git -C "$REPO_ROOT" diff --name-only HEAD 2>/dev/null || true)
9+
STAGED=$(git -C "$REPO_ROOT" diff --name-only --cached 2>/dev/null || true)
10+
ALL_CHANGED=$(printf '%s\n%s\n' "$MODIFIED" "$STAGED" | sort -u | grep -v '^$' || true)
11+
12+
[ -z "$ALL_CHANGED" ] && exit 0
13+
14+
ISSUES=""
15+
16+
block() {
17+
printf '{"decision":"block","reason":"%s"}' "$1"
18+
exit 0
19+
}
20+
21+
# Check for merge conflict markers
22+
while IFS= read -r f; do
23+
FULL="$REPO_ROOT/$f"
24+
[ -f "$FULL" ] || continue
25+
if grep -qE '^(<{7}|>{7}|={7}) ' "$FULL" 2>/dev/null; then
26+
ISSUES="${ISSUES}\\n- Unresolved merge conflict in: $f"
27+
fi
28+
done <<< "$ALL_CHANGED"
29+
30+
# Check for hardcoded secret patterns in modified non-test Go files
31+
GO_FILES=$(printf '%s\n' "$ALL_CHANGED" | grep '\.go$' | grep -v '_test\.go$' || true)
32+
SECRET_RE='(password|passwd|api_key|apikey|secret_key|auth_token|access_key)\s*[:=]\s*"[^"]+'
33+
while IFS= read -r f; do
34+
[ -z "$f" ] && continue
35+
FULL="$REPO_ROOT/$f"
36+
[ -f "$FULL" ] || continue
37+
if grep -iqE "$SECRET_RE" "$FULL" 2>/dev/null; then
38+
ISSUES="${ISSUES}\\n- Possible hardcoded secret in: $f"
39+
fi
40+
done <<< "$GO_FILES"
41+
42+
# Check for stray debug prints in non-test Go files
43+
while IFS= read -r f; do
44+
[ -z "$f" ] && continue
45+
FULL="$REPO_ROOT/$f"
46+
[ -f "$FULL" ] || continue
47+
if grep -qE 'fmt\.(Print|Println|Printf)\(' "$FULL" 2>/dev/null; then
48+
ISSUES="${ISSUES}\\n- Stray fmt.Print* in: $f (use tracing.Log instead)"
49+
fi
50+
done <<< "$GO_FILES"
51+
52+
[ -z "$ISSUES" ] && exit 0
53+
54+
block "Session-end verification found issues:${ISSUES}\\n\\nPlease review and resolve before finishing."

.claude/settings.json

Lines changed: 44 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44
"Welcome to the Telemetry-controller project!\nIf you have any questions or need assistance, feel free to reach out to the maintainers or the community.\nWe are excited to have you on board and look forward to your contributions."
55
],
66
"model": "sonnet",
7-
"availableModels": ["haiku", "sonnet", "opus"],
87
"cleanupPeriodDays": 14,
98
"env": {
109
"DISABLE_TELEMETRY": "1",
@@ -13,6 +12,47 @@
1312
"DISABLE_NON_ESSENTIAL_MODEL_CALLS": "1"
1413
},
1514
"includeCoAuthoredBy": false,
15+
"hooks": {
16+
"PreToolUse": [
17+
{
18+
"matcher": "Bash",
19+
"hooks": [
20+
{
21+
"type": "command",
22+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/security-bash.sh"
23+
}
24+
]
25+
},
26+
{
27+
"matcher": "Write",
28+
"hooks": [
29+
{
30+
"type": "command",
31+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/security-file.sh"
32+
}
33+
]
34+
},
35+
{
36+
"matcher": "Edit",
37+
"hooks": [
38+
{
39+
"type": "command",
40+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/security-file.sh"
41+
}
42+
]
43+
}
44+
],
45+
"Stop": [
46+
{
47+
"hooks": [
48+
{
49+
"type": "command",
50+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/session-end.sh"
51+
}
52+
]
53+
}
54+
]
55+
},
1656
"permissions": {
1757
"deny": [
1858
"Read(./.env)",
@@ -35,6 +75,7 @@
3575
"Read(./**/id_ed25519*)",
3676
"Read(./**/.htpasswd)",
3777
"Read(./**/*.sqlite)",
78+
"Read(./**/tmp/**)",
3879
"Bash(rm -rf *)",
3980
"Bash(rm -fr *)",
4081
"Bash(git push *)",
@@ -47,19 +88,11 @@
4788
"Bash(* >> /dev/*)"
4889
],
4990
"ask": [
50-
"Bash",
5191
"WebFetch"
5292
],
53-
"defaultMode": "plan",
54-
"disableBypassPermissionsMode": "disable"
55-
},
56-
"sandbox": {
57-
"enabled": true,
58-
"autoAllowBashIfSandboxed": false,
59-
"excludedCommands": [],
60-
"allowUnsandboxedCommands": false
93+
"defaultMode": "plan"
6194
},
62-
"enableAllProjectMcpServers": false,
95+
"enableAllProjectMcpServers": true,
6396
"enabledPlugins": {
6497
"context7@claude-plugins-official": true,
6598
"feature-dev@claude-plugins-official": true,

.github/workflows/artifacts.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ jobs:
150150
tar -xf image.tar -C image
151151
152152
- name: Run Trivy vulnerability scanner
153-
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
153+
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
154154
env:
155155
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
156156
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
@@ -269,7 +269,7 @@ jobs:
269269
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
270270
271271
- name: Run Trivy vulnerability scanner
272-
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
272+
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
273273
env:
274274
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
275275
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1

.go-version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.25.3
1+
1.26.0

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM --platform=$BUILDPLATFORM golang:1.26.2-alpine3.22@sha256:c259ff7ffa06f1fd161a6abfa026573cf00f64cfd959c6d2a9d43e3ff63e8729 AS builder
1+
FROM --platform=$BUILDPLATFORM golang:1.26.3-alpine3.22@sha256:be93003ee861b3b91b6ebcb22678524947e0cd786c2df3f32af520006b1e54f5 AS builder
22

33
RUN apk add --update --no-cache ca-certificates make git curl
44

0 commit comments

Comments
 (0)