Add security CI scanners and trust-loader fuzz evals#22
Merged
Conversation
Add a security workflow (race-gated test, CodeQL security-extended, gosec SARIF, govulncheck, gitleaks, PR dependency-review) alongside the existing dependabot gomod/actions config. Add adversarial fuzz coverage for the trust decision loader: FuzzLoad asserts Load never panics on malformed/oversized/duplicate input and stays fail-closed, FuzzDecodePin pins the pin-decoder contract, plus deterministic oversized-doc and duplicate-with-pins guards. Drop t.Parallel from TestLoadDuplicateNodeID: it mutates and asserts on shared global state, so concurrent global-mutating tests could race its post-Load assertion.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Drop t.Parallel from the SetForTest-based tests in zz_test.go: each swaps the single global allowlist, so running them concurrently let their post-swap assertions observe another test's state. The original suite failed under -parallel 8 -count=20; it now passes 30x at -race. Run gitleaks as a binary instead of gitleaks-action@v2, which requires a paid license for organization repos. Same git-history scan, no license needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens CI security and adds adversarial/fuzz EVAL coverage to the trust-decision logic. Also fixes a genuine pre-existing test-suite data race uncovered during validation. No production code behavior changes.
New CI gating checks (
.github/workflows/security.yml)go test -raceGOWORK=off go test -race -parallel 4 ./...as a standalone hard gategovulncheckgosecgitleakscodeqlsecurity-extendedquery suitedependency-reviewfail-on-severity: moderate)All actions pinned to official major-version tags. Workflow-level
permissions: contents: read; only CodeQL/gosec widen tosecurity-events: write.actionlintclean. All six jobs pass green on this PR..github/dependabot.yml(gomod + github-actions, weekly) already exists onmain.Scanner findings + resolutions
#nosec.gitleaks-action@v2now requires a paidGITLEAKS_LICENSEfor org repos, so the job runs the gitleaks binary directly — identical scan, no license.GO-2026-5039net/textproto,GO-2026-5037crypto/x509), both fixed in go1.25.11. Resolved by pinning CI togo-version: '1.25'(latest patched 1.25.x on runners). No code change, no exclusions.Adversarial / fuzz evals (
zz_fuzz_test.go)Extends the deterministic pin matrix in
zz_pubkey_pin_test.go(PR #21) without duplicating it:FuzzLoad— arbitrary bytes intoLoad: never panics; on success the index is fail-closed (no zero/empty entries, no oversized pins) and a pinned node never trusts a random key. Seeds cover valid / malformed / oversized / duplicate / pinned / bad-base64 / short-key / deeply-nested.FuzzDecodePin— arbitrary strings into the pin decoder: never panics; returns an error or a key of exactlyed25519.PublicKeySize; empty →(nil,nil).TestLoad_OversizedDocDoesNotPanic— 50k-entry doc loads without wedging.TestLoad_DuplicateWithPinsRejected— duplicate node_id with conflicting pins is rejected; neither pin becomes trusted.Existing matrix already confirms: pinned+correct ⇒ trusted, pinned+wrong ⇒ not, pinned+empty/short ⇒ not, unpinned ⇒ node_id trust (backward compat), unknown ⇒ not, constant-time compare (
crypto/subtle).Pre-existing test-race fix (
zz_test.go)The four
SetForTest-based tests inzz_test.gowere markedt.Parallel()while each swaps the single global allowlist, so concurrent runs observed one another's state. The original suite failed under-parallel 8 -count=20(TestAllReturnsCopy,TestZeroNodeIDIgnored). Droppedt.Parallel()from those four to match the (correctly non-parallel)SetForTesttests inzz_pubkey_pin_test.go/zz_service_test.go. Suite now green across 30 consecutive-raceruns at parallelism 8 and 4.Validation (
GOWORK=off)go build ./.../go vet ./...— OKgofmt -l .— cleango test -race -parallel 8 -count=30and-parallel 4 -count=30— OKFuzzLoad/FuzzDecodePin— ~62k / ~34k execs, no crashersgosec/gitleaks— 0 findingsactionlint— clean