akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
1,607 Commits 11 Branches 107 Tags
3b68d5e5f895753544ed356c5b439ba8982a8d20
Commit Graph

385 Commits

Author SHA1 Message Date
GitHub Actions 93ff3cb16a fix: CI/CD workflow improvements 
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
 2026-01-11 04:00:30 +00:00
GitHub Actions 6c99372c52 fix(ci): add workflow orchestration for supply chain verification 
Resolves issue where supply-chain-verify.yml ran before docker-build.yml
completed, causing verification to skip on PRs because Docker image
didn't exist yet.

**Root Cause:**
Both workflows triggered independently on PR events with no dependency,
running concurrently instead of sequentially.

**Solution:**
Add workflow_run trigger to supply-chain-verify that waits for
docker-build to complete successfully before running.

**Changes:**
- Remove pull_request trigger from supply-chain-verify.yml
- Add workflow_run trigger for "Docker Build, Publish & Test"
- Add job conditional checking workflow_run.conclusion == 'success'
- Update tag determination to handle workflow_run context
- Extract PR number from workflow_run metadata
- Update PR comment logic for workflow_run events
- Add debug logging for workflow_run context
- Document workflow_run depth limitation

**Behavior:**
- PRs: docker-build → supply-chain-verify (sequential)
- Push to main: docker-build → supply-chain-verify (sequential)
- Failed builds: verification skipped (correct behavior)
- Manual triggers: preserved via workflow_dispatch
- Scheduled runs: preserved for weekly scans

**Security:**
- Workflow security validated: LOW risk
- workflow_run runs in default branch context (prevents privilege escalation)
- No secret exposure in logs or comments
- Proper input sanitization for workflow metadata
- YAML validation passed
- Pre-commit hooks passed

**Testing:**
- YAML syntax validated
- All references verified correct
- Regression testing completed (no breaking changes)
- Debug instrumentation added for validation

**Documentation:**
- Implementation summary created
- QA report with security audit
- Plan archived for reference
- Testing guidelines provided

Related: #461 (PR where issue was discovered)
Resolves: Supply chain verification skipping on PRs

Co-authored-by: GitHub Copilot <copilot@github.com>
 2026-01-11 00:59:10 +00:00
GitHub Actions e95590a727 fix: Update security remediation plan and QA report for Grype SBOM implementation 
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
 2026-01-10 05:40:56 +00:00
GitHub Actions 8bcfe28709 docs: comprehensive supply chain security QA audit report 
Complete security audit covering:
- CodeQL analysis (0 Critical/High issues)
- Trivy vulnerability scanning (clean)
- Shellcheck linting (2 issues fixed)
- Supply chain skill testing
- GitHub Actions workflow validation
- Regression testing

All critical checks PASSED. Ready for deployment.
 2026-01-10 03:33:38 +00:00
renovate[bot] f2828e6b4d chore(deps): update renovatebot/github-action action to v44.2.3 2026-01-07 20:39:45 +00:00
Jeremy 9527333b78 Merge branch 'development' into renovate/actions-attest-sbom-3.x 2026-01-02 22:24:23 -05:00
Jeremy d25712aad1 Merge pull request #464 from Wikid82/renovate/anchore-sbom-action-0.x 
chore(deps): update anchore/sbom-action action to v0.21.0
 2026-01-02 22:23:43 -05:00
Jeremy 16911038dc Merge pull request #463 from Wikid82/renovate/actions-attest-sbom-2.x 
chore(deps): update actions/attest-sbom action to v2.4.0
 2026-01-02 22:23:30 -05:00
renovate[bot] b328c3d3a5 chore(deps): update actions/attest-sbom action to v3 2026-01-03 03:18:50 +00:00
renovate[bot] 871447d7b7 chore(deps): update anchore/sbom-action action to v0.21.0 2026-01-03 03:18:46 +00:00
renovate[bot] b856170f70 chore(deps): update actions/attest-sbom action to v2.4.0 2026-01-03 03:18:41 +00:00
renovate[bot] 02d84ad83c chore(deps): update renovatebot/github-action action to v44.2.2 2026-01-03 03:18:36 +00:00
GitHub Actions a1ff78a92f fix: add CodeQL configuration to exclude documented SSRF false positives and update workflow to use new config 2026-01-01 03:36:06 +00:00
GitHub Actions f46d19b3c0 fix(security): enhance SSRF defense-in-depth with monitoring (CWE-918) 
- Add CodeQL custom model recognizing ValidateExternalURL as sanitizer
- Enhance validation: hostname length (RFC 1035), IPv6-mapped IPv4 blocking
- Integrate Prometheus metrics (charon_ssrf_blocks_total, charon_url_validation_total)
- Add security audit logging with sanitized error messages
- Fix test race conditions with atomic types
- Update SECURITY.md with 5-layer defense documentation

Related to: #450
Coverage: Backend 86.3%, Frontend 87.27%
Security scans: CodeQL, Trivy, govulncheck all clean
 2025-12-31 21:17:08 +00:00
GitHub Actions 0133d64866 chore: add cache-dependency-path for Go setup in CodeQL workflow 2025-12-24 17:41:22 +00:00
GitHub Actions 70bd60dbce chore: Implement CodeQL CI Alignment and Security Scanning 
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings.
- Created CodeQL security scanning guide in documentation, outlining usage and common issues.
- Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits.
- Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations.
- Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
 2025-12-24 14:35:33 +00:00
Jeremy 08868becca Merge pull request #449 from Wikid82/feature/issue-365-additional-security 
Feature/issue 365 additional security
 2025-12-23 02:03:12 -05:00
Jeremy 606acb1922 Merge branch 'development' into feature/issue-365-additional-security 2025-12-23 01:06:32 -05:00
renovate[bot] c18c85b995 chore(deps): update renovatebot/github-action action to v44.2.1 2025-12-23 05:56:17 +00:00
Jeremy 5cd578bcb9 Merge branch 'development' into feature/issue-365-additional-security 2025-12-21 23:06:36 -05:00
renovate[bot] 8311d68ddd chore(deps): update docker/setup-buildx-action action to v3.12.0 (#443) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-12-22 04:04:01 +00:00
GitHub Actions 9e599ce06f feat: allow workflow to trigger on feature branches 2025-12-21 19:54:59 +00:00
GitHub Actions 2dfe7ee241 feat: add additional security enhancements (Issue #365) 
- Add constant-time token comparison utility (crypto/subtle)
- Add SBOM generation and attestation to CI/CD pipeline
- Document TLS enforcement, DNS security (DoH/DoT), and container hardening
- Create Security Incident Response Plan (SIRP)
- Add security update notification documentation

Security enhancements:
- Mitigates timing attacks on invite token validation
- Provides supply chain transparency with CycloneDX SBOM
- Documents production container hardening (read_only, cap_drop)

Closes #365
 2025-12-21 19:00:29 +00:00
GitHub Actions f640524baa chore: remove docker-publish workflow file 2025-12-21 15:11:25 +00:00
GitHub Actions af8384046c chore: implement instruction compliance remediation 
- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs

Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected

Refs: docs/plans/instruction_compliance_spec.md
 2025-12-21 04:08:42 +00:00
GitHub Actions fd9d09b341 fix: add timeouts to Docker container run and CrowdSec hub update for improved reliability 2025-12-19 18:55:48 +00:00
GitHub Actions 193ba124c7 fix: correct extraction of expr-lang version from caddy_deps.txt 2025-12-18 00:17:12 +00:00
GitHub Actions ed7dc3f904 fix: update regex for expr-lang version check to ensure accurate vulnerability assessment 2025-12-18 00:05:31 +00:00
GitHub Actions 761d59c7e9 fix: add timeout to Caddy version verification step to prevent hangs 2025-12-17 23:58:40 +00:00
GitHub Actions bc23eb3800 fix: add timeout to integration tests to prevent CI hangs 
- Add timeout-minutes: 5 to docker-build.yml integration test step
- Add set -o pipefail to integration-test.sh
- Add 4-minute timeout wrapper (INTEGRATION_TEST_TIMEOUT env var)

Resolves hang after Caddy TLS cleanup in GitHub Actions run #20319807650
 2025-12-17 23:41:27 +00:00
GitHub Actions 76895a9674 fix: load Docker image for PR events to resolve CI failure 2025-12-17 22:52:56 +00:00
GitHub Actions 6d18854e92 fix: use PR number instead of ref_name for Docker image tags 
GitHub's github.ref_name returns "421/merge" for PR merge refs,
creating invalid Docker tags like "pr-421/merge". Docker tags
cannot contain forward slashes.

Changed to use github.event.pull_request.number which returns
just the PR number (e.g., "421") for valid tags like "pr-421".

Fixes CI/CD failure in PR #421.
 2025-12-17 20:00:44 +00:00
GitHub Actions 942901fb9a fix: remove Caddy version check that hangs build (CVE-2025-68156) 2025-12-17 18:37:20 +00:00
Jeremy 3a3dccbb5a Merge branch 'development' into renovate/github-codeql-action-4.x 2025-12-17 09:31:09 -05:00
renovate[bot] 793315336a chore(deps): update github/codeql-action action to v4.31.9 2025-12-17 14:25:51 +00:00
renovate[bot] 711ed07df7 chore(deps): update github/codeql-action digest to 5d4e8d1 2025-12-17 14:25:45 +00:00
renovate[bot] 7f3cdb8011 chore(deps): update renovatebot/github-action action to v44.2.0 2025-12-16 15:17:40 +00:00
Jeremy 5376f28a64 Merge branch 'development' into renovate/node-24.x 2025-12-14 02:32:44 -05:00
Jeremy 2b36bd41fb Merge branch 'development' into renovate/node-22.x 2025-12-14 02:32:10 -05:00
Jeremy d0c6061544 Merge branch 'development' into renovate/major-6-github-artifact-actions 2025-12-14 02:31:43 -05:00
renovate[bot] df59d98289 chore(deps): update dependency node to v24 2025-12-14 07:31:33 +00:00
renovate[bot] d63a08d6a2 chore(deps): update dependency node to v22 2025-12-14 07:31:30 +00:00
Jeremy f1bd20ea9b Merge branch 'development' into renovate/major-5-github-artifact-actions 2025-12-14 02:31:02 -05:00
Jeremy 33fa5e7f94 Merge branch 'development' into renovate/node-20.x 2025-12-14 02:03:17 -05:00
renovate[bot] 85fd287b34 chore(deps): update actions/upload-artifact action to v6 2025-12-14 07:01:59 +00:00
renovate[bot] c19c4d4ff0 chore(deps): update actions/upload-artifact action to v5 2025-12-14 07:01:56 +00:00
Jeremy 8f6ebf6107 Merge branch 'development' into renovate/go-1.x 2025-12-14 02:01:51 -05:00
renovate[bot] 7c4b0002b5 chore(deps): update dependency node to v20.19.6 2025-12-14 06:43:40 +00:00
renovate[bot] 0600f9da2a chore(deps): update dependency go to v1.25.5 2025-12-14 06:43:33 +00:00
renovate[bot] e66404c817 chore(deps): pin actions/upload-artifact action to ea165f8 2025-12-14 06:43:09 +00:00