akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases Wiki Activity
1,676 Commits 11 Branches 107 Tags
63d4cfae39a34f5fccebf7ad78417e23838b940b
Commit Graph

421 Commits

Author SHA1 Message Date
Jeremy 63d4cfae39 Merge pull request #504 from Wikid82/renovate/feature/beta-release-actions-github-script-8.x 
chore(deps): update actions/github-script action to v8 (feature/beta-release)
 2026-01-12 01:08:51 -05:00
Jeremy d1c5f2ad32 Merge pull request #503 from Wikid82/renovate/feature/beta-release-major-7-github-artifact-actions 
chore(deps): update actions/download-artifact action to v7 (feature/beta-release)
 2026-01-12 01:08:33 -05:00
Jeremy f9e1a59640 Merge branch 'feature/beta-release' into renovate/feature/beta-release-actions-checkout-6.x 2026-01-12 01:08:04 -05:00
renovate[bot] ee5a19810b chore(deps): update actions/checkout action to v6 2026-01-12 06:07:25 +00:00
Jeremy e25aa6270e Merge pull request #500 from Wikid82/renovate/feature/beta-release-actions-upload-artifact-4.x 
chore(deps): update actions/upload-artifact action to v4.6.2 (feature/beta-release)
 2026-01-12 01:06:38 -05:00
Jeremy 25b010c241 Merge branch 'feature/beta-release' into renovate/feature/beta-release-pin-dependencies 2026-01-12 01:06:15 -05:00
Jeremy 0334c547f1 Merge pull request #499 from Wikid82/renovate/feature/beta-release-renovatebot-github-action-44.x 
chore(deps): update renovatebot/github-action action to v44.2.4 (feature/beta-release)
 2026-01-12 01:05:26 -05:00
renovate[bot] 0759ddeab6 chore(deps): update actions/github-script action to v8 2026-01-12 06:00:39 +00:00
renovate[bot] 5b25018c4d chore(deps): update actions/download-artifact action to v7 2026-01-12 06:00:34 +00:00
renovate[bot] 9d8730f41f chore(deps): update actions/checkout action to v5 2026-01-12 06:00:24 +00:00
renovate[bot] d9e5e8001e chore(deps): update actions/upload-artifact action to v4.6.2 2026-01-12 06:00:18 +00:00
renovate[bot] c40932c430 chore(deps): update renovatebot/github-action action to v44.2.4 2026-01-12 06:00:13 +00:00
renovate[bot] fb99022879 chore(deps): pin dependencies 2026-01-12 06:00:09 +00:00
Jeremy 9302226777 Merge pull request #496 from Wikid82/renovate/feature/beta-release-anchore-sbom-action-0.x 
chore(deps): update anchore/sbom-action action to v0.21.1 (feature/beta-release)
 2026-01-12 00:56:03 -05:00
Jeremy 9c4db471a9 Merge pull request #493 from Wikid82/renovate/feature/beta-release-actions-setup-node-6.x 
chore(deps): update actions/setup-node action to v6 (feature/beta-release)
 2026-01-12 00:55:36 -05:00
Jeremy 7f7e4c6ff7 Merge pull request #489 from Wikid82/renovate/feature/beta-release-actions-github-script-7.x 
chore(deps): update actions/github-script action to v7.1.0 (feature/beta-release)
 2026-01-12 00:54:27 -05:00
Jeremy 451055f02c Merge pull request #488 from Wikid82/renovate/feature/beta-release-actions-download-artifact-4.x 
chore(deps): update actions/download-artifact action to v4.3.0 (feature/beta-release)
 2026-01-12 00:54:11 -05:00
Jeremy b71082145b Merge pull request #487 from Wikid82/renovate/feature/beta-release-actions-checkout-4.x 
chore(deps): update actions/checkout action to v4.3.1 (feature/beta-release)
 2026-01-12 00:53:50 -05:00
Jeremy 05904a14d9 Merge branch 'feature/beta-release' into renovate/feature/beta-release-actions-checkout-4.x 2026-01-12 00:52:05 -05:00
Jeremy ae3417a986 Merge branch 'feature/beta-release' into renovate/feature/beta-release-peter-evans-create-or-update-comment-5.x 2026-01-12 00:51:02 -05:00
Jeremy 9836288e91 Merge branch 'main' into feature/beta-release 2026-01-12 00:34:06 -05:00
GitHub Actions 3fb870f109 fix: improve Docker image handling in CI workflow with exact tag extraction and validation 2026-01-12 05:33:29 +00:00
Jeremy 22a23da6e9 Add nightly branch to propagate changes workflow 2026-01-12 00:19:19 -05:00
renovate[bot] e86124f556 chore(deps): update anchore/sbom-action action to v0.21.1 2026-01-12 05:05:57 +00:00
renovate[bot] bcdc472b0a chore(deps): update actions/setup-node action to v6 2026-01-12 05:04:50 +00:00
renovate[bot] 69d527682a chore(deps): update actions/github-script action to v7.1.0 2026-01-12 05:04:02 +00:00
renovate[bot] fcd40909e9 chore(deps): update actions/download-artifact action to v4.3.0 2026-01-12 05:03:57 +00:00
renovate[bot] b1fd466e20 chore(deps): update actions/checkout action to v4.3.1 2026-01-12 05:03:51 +00:00
renovate[bot] b44ff56283 chore(deps): update peter-evans/create-or-update-comment action to v5 2026-01-12 05:02:31 +00:00
GitHub Actions d8cc4da730 fix: Implement no-cache Docker builds to eliminate false positive vulnerabilities from cached layers 2026-01-11 20:39:57 +00:00
GitHub Actions 622f5a48e4 fix: Enhance supply chain security with updated PR comments, remediation plan, scan analysis, and detailed vulnerability reporting 
- Implemented a new workflow for supply chain security that updates PR comments with current scan results, replacing stale data.
- Created a remediation plan addressing high-severity vulnerabilities in CrowdSec binaries, including action items and timelines.
- Developed a discrepancy analysis document to investigate differences between local and CI vulnerability scans, identifying root causes and remediation steps.
- Enhanced vulnerability reporting in PR comments to include detailed findings, collapsible sections for readability, and artifact uploads for compliance tracking.
 2026-01-11 20:13:15 +00:00
GitHub Actions e06eb4177b fix; CVE-2025-68156 remediation 
- Changed report title to reflect security audit focus
- Updated date and status to indicate approval for commit
- Enhanced executive summary with detailed validation results
- Included comprehensive test coverage results for backend and frontend
- Documented pre-commit hooks validation and known issues
- Added detailed security scan results, confirming absence of CVE-2025-68156
- Verified binary inspection for expr-lang dependency
- Provided risk assessment and recommendations for post-merge actions
- Updated compliance matrix and final assessment sections
- Improved overall report structure and clarity
 2026-01-11 19:33:25 +00:00
GitHub Actions db7490d763 feat: Enhance supply chain verification by excluding PR builds and add Docker image artifact handling 2026-01-11 07:17:12 +00:00
GitHub Actions a895bde4e9 feat: Integrate Staticcheck Pre-Commit Hook and Update QA Report 
- Updated current specification to reflect the integration of Staticcheck into pre-commit hooks.
- Added problem statement, success criteria, and implementation plan for Staticcheck integration.
- Enhanced QA validation report to confirm successful implementation of Staticcheck pre-commit blocking.
- Created new Playwright configuration and example test cases for frontend testing.
- Updated package.json and package-lock.json to include Playwright and related dependencies.
- Archived previous QA report for CI workflow documentation updates.
 2026-01-11 05:33:01 +00:00
GitHub Actions 5674280c65 fix: Refactor token references in workflows and documentation 
- Updated references from `CPMP_TOKEN` to `CHARON_TOKEN` in beta release draft PR body, beta release PR body, and GitHub setup documentation.
- Enhanced clarity in documentation regarding the use of `GITHUB_TOKEN` and fallback options.
- Removed outdated sections from the archived plan for the Docs-to-Issues workflow fix, streamlining the document.
- Initiated integration of Staticcheck into pre-commit hooks to improve code quality, including updates to Makefile, VS Code tasks, and documentation.
 2026-01-11 04:27:26 +00:00
GitHub Actions 2fa77b1838 fix: remove [skip ci] from commit message to allow CI checks on PRs 2026-01-11 04:15:13 +00:00
GitHub Actions 93ff3cb16a fix: CI/CD workflow improvements 
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
 2026-01-11 04:00:30 +00:00
GitHub Actions 6c99372c52 fix(ci): add workflow orchestration for supply chain verification 
Resolves issue where supply-chain-verify.yml ran before docker-build.yml
completed, causing verification to skip on PRs because Docker image
didn't exist yet.

**Root Cause:**
Both workflows triggered independently on PR events with no dependency,
running concurrently instead of sequentially.

**Solution:**
Add workflow_run trigger to supply-chain-verify that waits for
docker-build to complete successfully before running.

**Changes:**
- Remove pull_request trigger from supply-chain-verify.yml
- Add workflow_run trigger for "Docker Build, Publish & Test"
- Add job conditional checking workflow_run.conclusion == 'success'
- Update tag determination to handle workflow_run context
- Extract PR number from workflow_run metadata
- Update PR comment logic for workflow_run events
- Add debug logging for workflow_run context
- Document workflow_run depth limitation

**Behavior:**
- PRs: docker-build → supply-chain-verify (sequential)
- Push to main: docker-build → supply-chain-verify (sequential)
- Failed builds: verification skipped (correct behavior)
- Manual triggers: preserved via workflow_dispatch
- Scheduled runs: preserved for weekly scans

**Security:**
- Workflow security validated: LOW risk
- workflow_run runs in default branch context (prevents privilege escalation)
- No secret exposure in logs or comments
- Proper input sanitization for workflow metadata
- YAML validation passed
- Pre-commit hooks passed

**Testing:**
- YAML syntax validated
- All references verified correct
- Regression testing completed (no breaking changes)
- Debug instrumentation added for validation

**Documentation:**
- Implementation summary created
- QA report with security audit
- Plan archived for reference
- Testing guidelines provided

Related: #461 (PR where issue was discovered)
Resolves: Supply chain verification skipping on PRs

Co-authored-by: GitHub Copilot <copilot@github.com>
 2026-01-11 00:59:10 +00:00
GitHub Actions e95590a727 fix: Update security remediation plan and QA report for Grype SBOM implementation 
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
 2026-01-10 05:40:56 +00:00
GitHub Actions 8bcfe28709 docs: comprehensive supply chain security QA audit report 
Complete security audit covering:
- CodeQL analysis (0 Critical/High issues)
- Trivy vulnerability scanning (clean)
- Shellcheck linting (2 issues fixed)
- Supply chain skill testing
- GitHub Actions workflow validation
- Regression testing

All critical checks PASSED. Ready for deployment.
 2026-01-10 03:33:38 +00:00
renovate[bot] f2828e6b4d chore(deps): update renovatebot/github-action action to v44.2.3 2026-01-07 20:39:45 +00:00
Jeremy 9527333b78 Merge branch 'development' into renovate/actions-attest-sbom-3.x 2026-01-02 22:24:23 -05:00
Jeremy d25712aad1 Merge pull request #464 from Wikid82/renovate/anchore-sbom-action-0.x 
chore(deps): update anchore/sbom-action action to v0.21.0
 2026-01-02 22:23:43 -05:00
Jeremy 16911038dc Merge pull request #463 from Wikid82/renovate/actions-attest-sbom-2.x 
chore(deps): update actions/attest-sbom action to v2.4.0
 2026-01-02 22:23:30 -05:00
renovate[bot] b328c3d3a5 chore(deps): update actions/attest-sbom action to v3 2026-01-03 03:18:50 +00:00
renovate[bot] 871447d7b7 chore(deps): update anchore/sbom-action action to v0.21.0 2026-01-03 03:18:46 +00:00
renovate[bot] b856170f70 chore(deps): update actions/attest-sbom action to v2.4.0 2026-01-03 03:18:41 +00:00
renovate[bot] 02d84ad83c chore(deps): update renovatebot/github-action action to v44.2.2 2026-01-03 03:18:36 +00:00
GitHub Actions a1ff78a92f fix: add CodeQL configuration to exclude documented SSRF false positives and update workflow to use new config 2026-01-01 03:36:06 +00:00
GitHub Actions f46d19b3c0 fix(security): enhance SSRF defense-in-depth with monitoring (CWE-918) 
- Add CodeQL custom model recognizing ValidateExternalURL as sanitizer
- Enhance validation: hostname length (RFC 1035), IPv6-mapped IPv4 blocking
- Integrate Prometheus metrics (charon_ssrf_blocks_total, charon_url_validation_total)
- Add security audit logging with sanitized error messages
- Fix test race conditions with atomic types
- Update SECURITY.md with 5-layer defense documentation

Related to: #450
Coverage: Backend 86.3%, Frontend 87.27%
Security scans: CodeQL, Trivy, govulncheck all clean
 2025-12-31 21:17:08 +00:00