From bd515ce3e2711206e56646f06ff38d18e168b278 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Sun, 8 Jun 2025 00:48:19 -0400 Subject: [PATCH 1/3] feat: Add supply chain security improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Pin all GitHub Actions to specific commit SHAs for immutability - Add cargo-audit job to CI pipeline for vulnerability scanning - Create SECURITY.md with vulnerability reporting guidelines - Add Dependabot configuration for automated dependency updates - Weekly updates for both Cargo and GitHub Actions - Grouped patch and minor updates for Cargo dependencies - Update job dependencies to run security checks before integration tests This improves the project's security posture by: 1. Preventing action hijacking through SHA pinning 2. Catching known vulnerabilities early with cargo-audit 3. Providing clear security reporting channels 4. Automating dependency updates to reduce security debt 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .github/dependabot.yml | 46 +++++++++++++++++++++ .github/workflows/ci.yml | 46 ++++++++++++++------- SECURITY.md | 86 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 164 insertions(+), 14 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a7e29c2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +version: 2 +updates: + # Enable version updates for Rust dependencies + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + open-pull-requests-limit: 10 + reviewers: + - "imjasonh" + labels: + - "dependencies" + - "rust" + commit-message: + prefix: "chore" + include: "scope" + groups: + patch-updates: + patterns: + - "*" + update-types: + - "patch" + minor-updates: + patterns: + - "*" + update-types: + - "minor" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + open-pull-requests-limit: 5 + reviewers: + - "imjasonh" + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "chore" + include: "scope" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4ee80a..60e5dfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,9 +19,9 @@ jobs: os: [ubuntu-latest, ubuntu-24.04-arm] rust: [stable, beta] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master with: toolchain: ${{ matrix.rust }} targets: x86_64-unknown-linux-musl,aarch64-unknown-linux-musl @@ -30,17 +30,17 @@ jobs: sudo apt-get update sudo apt-get install -y musl-tools gcc-aarch64-linux-gnu gcc-x86-64-linux-gnu - name: Cache cargo registry - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo index - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: ~/.cargo/git key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo build - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: target key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} @@ -81,9 +81,9 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: components: rustfmt - name: Check formatting @@ -93,27 +93,43 @@ jobs: name: Clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: components: clippy - name: Run clippy run: cargo clippy -- -D warnings + security-audit: + name: Security Audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Install Rust + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable + with: + toolchain: stable + - name: Install cargo-audit + run: cargo install cargo-audit + - name: Run security audit + run: cargo audit + integration: name: Integration Test runs-on: ubuntu-latest + needs: [test, fmt, clippy, security-audit] # Only run after other tests pass services: registry: image: registry:2 ports: - 5000:5000 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable targets: x86_64-unknown-linux-musl,aarch64-unknown-linux-musl - name: Install musl tools run: | @@ -130,7 +146,7 @@ jobs: linker = "aarch64-linux-gnu-gcc" EOF - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Build krust run: cargo build --release - name: Add krust to PATH @@ -169,11 +185,13 @@ jobs: extended-platforms: name: Extended Platform Support runs-on: ubuntu-latest + needs: [test, fmt, clippy, security-audit] # Only run after basic tests pass steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable targets: x86_64-unknown-linux-musl,i686-unknown-linux-musl,aarch64-unknown-linux-musl,armv7-unknown-linux-musleabihf - name: Install cross-compilation tools run: | diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..6689017 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,86 @@ +# Security Policy + +## Supported Versions + +Currently, we provide security updates for the following versions: + +| Version | Supported | +| ------- | ------------------ | +| 0.1.x | :white_check_mark: | + +## Reporting a Vulnerability + +We take the security of krust seriously. If you have discovered a security vulnerability in this project, please report it to us as described below. + +### Reporting Process + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them via email to the project maintainers. You can find maintainer contact information in the project's Git history or by checking recent commits. + +When reporting a vulnerability, please include: + +- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue, including how an attacker might exploit the issue + +### Response Timeline + +We will acknowledge receipt of your vulnerability report within 48 hours and will send a more detailed response within 96 hours indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress towards a fix and full announcement. + +### Disclosure Policy + +- We will work with you to understand and verify the issue +- We will prepare a fix and release it as soon as possible +- We will credit you for the discovery (unless you prefer to remain anonymous) + +## Security Best Practices + +When using krust, we recommend following these security best practices: + +### Container Image Security + +1. **Base Image Selection**: Always use trusted, minimal base images (default: `cgr.dev/chainguard/static`) +2. **Image Scanning**: Regularly scan built images for vulnerabilities +3. **Image Signing**: Consider signing your images for verification +4. **Registry Security**: Use secure, authenticated registries for production images + +### Build Security + +1. **Dependency Auditing**: We use `cargo audit` in CI to check for known vulnerabilities +2. **Static Binaries**: krust builds static binaries by default, reducing runtime dependencies +3. **Minimal Attack Surface**: Built images contain only the application binary, no shell or package manager + +### Supply Chain Security + +1. **Dependency Management**: Keep dependencies up to date using Dependabot +2. **Build Provenance**: Consider recording build metadata for traceability +3. **SBOM Generation**: Software Bill of Materials can be generated for compliance +4. **Reproducible Builds**: Using pinned dependencies and deterministic builds when possible + +## Security Features + +krust includes several security-focused features: + +- **Static Linking**: Builds fully static binaries using musl libc +- **Minimal Images**: Uses distroless base images with no shell or package manager +- **OCI Compliance**: Follows OCI standards for container images +- **Anonymous Registry Access**: No credentials stored or transmitted by default +- **Isolated Builds**: Each build uses a unique temporary directory + +## Dependency Security + +We maintain the security of our dependencies through: + +- Automated security updates via Dependabot +- Regular `cargo audit` checks in CI +- Minimal dependency footprint +- Careful review of new dependencies + +## Contact + +For any security-related questions that don't need to be kept confidential, feel free to open an issue in the GitHub repository. From 577c4152fefd8b3472148711ad7e20b55401597c Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Sun, 8 Jun 2025 00:53:34 -0400 Subject: [PATCH 2/3] fix: Add missing toolchain parameter to fmt and clippy jobs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dtolnay/rust-toolchain action requires an explicit toolchain parameter when pinned to a specific SHA. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60e5dfa..2a5e4a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -85,6 +85,7 @@ jobs: - name: Install Rust uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable components: rustfmt - name: Check formatting run: cargo fmt -- --check @@ -97,6 +98,7 @@ jobs: - name: Install Rust uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: + toolchain: stable components: clippy - name: Run clippy run: cargo clippy -- -D warnings From da019379304728c0c147623436560f0aaf1c8d82 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Sun, 8 Jun 2025 00:55:52 -0400 Subject: [PATCH 3/3] drop security.md Signed-off-by: Jason Hall --- SECURITY.md | 86 ----------------------------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 6689017..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,86 +0,0 @@ -# Security Policy - -## Supported Versions - -Currently, we provide security updates for the following versions: - -| Version | Supported | -| ------- | ------------------ | -| 0.1.x | :white_check_mark: | - -## Reporting a Vulnerability - -We take the security of krust seriously. If you have discovered a security vulnerability in this project, please report it to us as described below. - -### Reporting Process - -**Please do not report security vulnerabilities through public GitHub issues.** - -Instead, please report them via email to the project maintainers. You can find maintainer contact information in the project's Git history or by checking recent commits. - -When reporting a vulnerability, please include: - -- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) -- Full paths of source file(s) related to the manifestation of the issue -- The location of the affected source code (tag/branch/commit or direct URL) -- Any special configuration required to reproduce the issue -- Step-by-step instructions to reproduce the issue -- Proof-of-concept or exploit code (if possible) -- Impact of the issue, including how an attacker might exploit the issue - -### Response Timeline - -We will acknowledge receipt of your vulnerability report within 48 hours and will send a more detailed response within 96 hours indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress towards a fix and full announcement. - -### Disclosure Policy - -- We will work with you to understand and verify the issue -- We will prepare a fix and release it as soon as possible -- We will credit you for the discovery (unless you prefer to remain anonymous) - -## Security Best Practices - -When using krust, we recommend following these security best practices: - -### Container Image Security - -1. **Base Image Selection**: Always use trusted, minimal base images (default: `cgr.dev/chainguard/static`) -2. **Image Scanning**: Regularly scan built images for vulnerabilities -3. **Image Signing**: Consider signing your images for verification -4. **Registry Security**: Use secure, authenticated registries for production images - -### Build Security - -1. **Dependency Auditing**: We use `cargo audit` in CI to check for known vulnerabilities -2. **Static Binaries**: krust builds static binaries by default, reducing runtime dependencies -3. **Minimal Attack Surface**: Built images contain only the application binary, no shell or package manager - -### Supply Chain Security - -1. **Dependency Management**: Keep dependencies up to date using Dependabot -2. **Build Provenance**: Consider recording build metadata for traceability -3. **SBOM Generation**: Software Bill of Materials can be generated for compliance -4. **Reproducible Builds**: Using pinned dependencies and deterministic builds when possible - -## Security Features - -krust includes several security-focused features: - -- **Static Linking**: Builds fully static binaries using musl libc -- **Minimal Images**: Uses distroless base images with no shell or package manager -- **OCI Compliance**: Follows OCI standards for container images -- **Anonymous Registry Access**: No credentials stored or transmitted by default -- **Isolated Builds**: Each build uses a unique temporary directory - -## Dependency Security - -We maintain the security of our dependencies through: - -- Automated security updates via Dependabot -- Regular `cargo audit` checks in CI -- Minimal dependency footprint -- Careful review of new dependencies - -## Contact - -For any security-related questions that don't need to be kept confidential, feel free to open an issue in the GitHub repository.