diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a7e29c2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +version: 2 +updates: + # Enable version updates for Rust dependencies + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + open-pull-requests-limit: 10 + reviewers: + - "imjasonh" + labels: + - "dependencies" + - "rust" + commit-message: + prefix: "chore" + include: "scope" + groups: + patch-updates: + patterns: + - "*" + update-types: + - "patch" + minor-updates: + patterns: + - "*" + update-types: + - "minor" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + open-pull-requests-limit: 5 + reviewers: + - "imjasonh" + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "chore" + include: "scope" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4ee80a..60e5dfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,9 +19,9 @@ jobs: os: [ubuntu-latest, ubuntu-24.04-arm] rust: [stable, beta] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master with: toolchain: ${{ matrix.rust }} targets: x86_64-unknown-linux-musl,aarch64-unknown-linux-musl @@ -30,17 +30,17 @@ jobs: sudo apt-get update sudo apt-get install -y musl-tools gcc-aarch64-linux-gnu gcc-x86-64-linux-gnu - name: Cache cargo registry - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo index - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: ~/.cargo/git key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo build - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: target key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} @@ -81,9 +81,9 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: components: rustfmt - name: Check formatting @@ -93,27 +93,43 @@ jobs: name: Clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: components: clippy - name: Run clippy run: cargo clippy -- -D warnings + security-audit: + name: Security Audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Install Rust + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable + with: + toolchain: stable + - name: Install cargo-audit + run: cargo install cargo-audit + - name: Run security audit + run: cargo audit + integration: name: Integration Test runs-on: ubuntu-latest + needs: [test, fmt, clippy, security-audit] # Only run after other tests pass services: registry: image: registry:2 ports: - 5000:5000 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable targets: x86_64-unknown-linux-musl,aarch64-unknown-linux-musl - name: Install musl tools run: | @@ -130,7 +146,7 @@ jobs: linker = "aarch64-linux-gnu-gcc" EOF - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Build krust run: cargo build --release - name: Add krust to PATH @@ -169,11 +185,13 @@ jobs: extended-platforms: name: Extended Platform Support runs-on: ubuntu-latest + needs: [test, fmt, clippy, security-audit] # Only run after basic tests pass steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable targets: x86_64-unknown-linux-musl,i686-unknown-linux-musl,aarch64-unknown-linux-musl,armv7-unknown-linux-musleabihf - name: Install cross-compilation tools run: | diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..6689017 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,86 @@ +# Security Policy + +## Supported Versions + +Currently, we provide security updates for the following versions: + +| Version | Supported | +| ------- | ------------------ | +| 0.1.x | :white_check_mark: | + +## Reporting a Vulnerability + +We take the security of krust seriously. If you have discovered a security vulnerability in this project, please report it to us as described below. + +### Reporting Process + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them via email to the project maintainers. You can find maintainer contact information in the project's Git history or by checking recent commits. + +When reporting a vulnerability, please include: + +- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue, including how an attacker might exploit the issue + +### Response Timeline + +We will acknowledge receipt of your vulnerability report within 48 hours and will send a more detailed response within 96 hours indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress towards a fix and full announcement. + +### Disclosure Policy + +- We will work with you to understand and verify the issue +- We will prepare a fix and release it as soon as possible +- We will credit you for the discovery (unless you prefer to remain anonymous) + +## Security Best Practices + +When using krust, we recommend following these security best practices: + +### Container Image Security + +1. **Base Image Selection**: Always use trusted, minimal base images (default: `cgr.dev/chainguard/static`) +2. **Image Scanning**: Regularly scan built images for vulnerabilities +3. **Image Signing**: Consider signing your images for verification +4. **Registry Security**: Use secure, authenticated registries for production images + +### Build Security + +1. **Dependency Auditing**: We use `cargo audit` in CI to check for known vulnerabilities +2. **Static Binaries**: krust builds static binaries by default, reducing runtime dependencies +3. **Minimal Attack Surface**: Built images contain only the application binary, no shell or package manager + +### Supply Chain Security + +1. **Dependency Management**: Keep dependencies up to date using Dependabot +2. **Build Provenance**: Consider recording build metadata for traceability +3. **SBOM Generation**: Software Bill of Materials can be generated for compliance +4. **Reproducible Builds**: Using pinned dependencies and deterministic builds when possible + +## Security Features + +krust includes several security-focused features: + +- **Static Linking**: Builds fully static binaries using musl libc +- **Minimal Images**: Uses distroless base images with no shell or package manager +- **OCI Compliance**: Follows OCI standards for container images +- **Anonymous Registry Access**: No credentials stored or transmitted by default +- **Isolated Builds**: Each build uses a unique temporary directory + +## Dependency Security + +We maintain the security of our dependencies through: + +- Automated security updates via Dependabot +- Regular `cargo audit` checks in CI +- Minimal dependency footprint +- Careful review of new dependencies + +## Contact + +For any security-related questions that don't need to be kept confidential, feel free to open an issue in the GitHub repository.