Add supply-chain CI gates and adversarial fuzz evals#311
Merged
Conversation
Fill the security-CI gaps that CodeQL (default query suite) and the gitleaks pre-commit hook don't cover, and add adversarial/fuzz EVAL coverage for the security-critical trust boundaries. CI: - security.yml: govulncheck (gating), gitleaks (gating, push+PR), and gosec SARIF upload (non-gating, GitHub Security tab) — the pre-commit hook can't protect direct pushes or unhooked clones. - dependency-review.yml: flags vulnerable/disallowed-license deps on PRs. - architecture.yml: add a broad -race -short job over pkg/cmd/internal (-parallel 4) so any library data race fails CI, not just the daemon lock graph; pin setup-go to go.mod. - Bump go.mod to go 1.25.11 to clear GO-2026-5037 / GO-2026-5039 stdlib vulns that govulncheck flags as called from telemetry/appstore. - .gitleaks.toml: documented allowlist for 11 history false positives (placeholder bearer tokens in .astro docs, an X25519 field comparison in a tunnel test). Tests: - keyexchange frame fuzzers (PILA/PILK): no panic, fail-closed (a random auth frame must never be accepted). - badge/recovery IPC payload fuzzers + badgeverify parser fuzzer: no panic, fail-closed with no registry connection. - pilotctl adversarial test: a badge bound to a different NodeID is rejected by VerifyForNode, and a forged-signature badge for its own node still fails closed.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens CI security and adds adversarial/fuzz EVAL coverage for the trust-boundary code paths (keyexchange wire parsing, badge/recovery IPC, badge node binding). Fills the gaps left by the existing CodeQL ("Analyze Go", default query suite) and the gitleaks/detect-private-key pre-commit hook — neither of which protects direct pushes or unhooked clones.
CI: present vs added
Already present (unchanged): CodeQL "Analyze Go" (default suite + one query-filter exclude — NOT security-extended), Architecture gates (lock-graph
-race ./pkg/daemon/...+ stress harness), CI Go (mac+ubuntu,go vet/build/-short), nightly integration + 7 fuzz suites, cli-reference-check, dependabot (gomod/npm/actions, weekly), pre-commit gitleaks v8.21.2 + detect-private-key/detect-aws/large-files. (No Snyk workflow exists in this repo.)Added:
govulncheckgitleaksDependency reviewRace detector — all library packages (-short)-raceoverpkg/cmd/internalgosec (SARIF, non-gating)Also:
architecture.ymlsetup-go pinned togo.mod;go.modbumped togo 1.25.11.Scanner findings + resolutions
GO-2026-5037(crypto/x509) andGO-2026-5039(net/textproto) — both stdlib, called fromtelemetry/appstore, fixed in go1.25.11. Resolved by bumpinggo.modgo 1.25.11(genuine fix, not an exclusion). Now clean.continue-on-erroroff once triaged.Bearer <token>/"token":"<...>"inweb/src/pages/*.astrodocs, and apc2.PeerX25519Key == pc1.PeerX25519Keyfield comparison in a tunnel test. Resolved with a tight, documented.gitleaks.tomlallowlist (extends default ruleset). Full history + working tree now clean.Adversarial / fuzz EVALs
pkg/daemon/keyexchange/zz_fuzz_frame_test.go—FuzzHandleAuthFrame/FuzzHandleUnauthFrame: fuzz the PILA/PILK wire parsers. Assert no panic and fail-closed (a random/forged auth frame must never be accepted). ~40–70k execs/s, clean.pkg/daemon/zz_fuzz_badge_ipc_test.go—FuzzHandleSubmitBadgePayload,FuzzHandleEnrollRecoveryPayload(drive the real IPC handlers; fail-closed with nil registry conn),FuzzParseBadgeCredentials(badgeverifyParse/ParseEnrollment/ParseRecovery). No panic.cmd/pilotctl/zz_verify_node_binding_test.go— adversarial: a badge bound to NodeID A presented for NodeID B is rejected byVerifyForNode(cross-node replay), and a forged-signature badge for its own node still fails closed (proving binding + crypto are independent gates).TestConcurrentRotateKeyAndSign(pkg/daemon, from Fix data race between key rotation and registry signer #308) is covered by both the existing un-short./pkg/daemon/...race step and the new broad-race -shortstep.Validation (GOWORK=off, go1.25.11)
go build ./cmd/daemon ./cmd/pilotctl✓ ·go vet ./...✓ · gofmt clean ✓go test -race -short -parallel 4 ./pkg/daemon ./pkg/daemon/keyexchange ./cmd/pilotctl✓-no-fail)TempDir: permission denied(and the knownTestWriteLoopExitsOnWriteDeadlinesun_path failure) are environment artifacts, not regressions — Linux CI is the gate.Do not merge — for review.