akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
1,565 Commits 11 Branches 107 Tags
6f64648d1fafe6d4e231eb573d55b6543e733cda
Commit Graph

380 Commits

Author SHA1 Message Date
Jeremy
9527333b78 Merge branch 'development' into renovate/actions-attest-sbom-3.x 2026-01-02 22:24:23 -05:00
Jeremy
d25712aad1 Merge pull request #464 from Wikid82/renovate/anchore-sbom-action-0.x 
chore(deps): update anchore/sbom-action action to v0.21.0
 2026-01-02 22:23:43 -05:00
Jeremy
16911038dc Merge pull request #463 from Wikid82/renovate/actions-attest-sbom-2.x 
chore(deps): update actions/attest-sbom action to v2.4.0
 2026-01-02 22:23:30 -05:00
renovate[bot]
b328c3d3a5 chore(deps): update actions/attest-sbom action to v3 2026-01-03 03:18:50 +00:00
renovate[bot]
871447d7b7 chore(deps): update anchore/sbom-action action to v0.21.0 2026-01-03 03:18:46 +00:00
renovate[bot]
b856170f70 chore(deps): update actions/attest-sbom action to v2.4.0 2026-01-03 03:18:41 +00:00
renovate[bot]
02d84ad83c chore(deps): update renovatebot/github-action action to v44.2.2 2026-01-03 03:18:36 +00:00
GitHub Actions
a1ff78a92f fix: add CodeQL configuration to exclude documented SSRF false positives and update workflow to use new config 2026-01-01 03:36:06 +00:00
GitHub Actions
f46d19b3c0 fix(security): enhance SSRF defense-in-depth with monitoring (CWE-918) 
- Add CodeQL custom model recognizing ValidateExternalURL as sanitizer
- Enhance validation: hostname length (RFC 1035), IPv6-mapped IPv4 blocking
- Integrate Prometheus metrics (charon_ssrf_blocks_total, charon_url_validation_total)
- Add security audit logging with sanitized error messages
- Fix test race conditions with atomic types
- Update SECURITY.md with 5-layer defense documentation

Related to: #450
Coverage: Backend 86.3%, Frontend 87.27%
Security scans: CodeQL, Trivy, govulncheck all clean
 2025-12-31 21:17:08 +00:00
GitHub Actions
0133d64866 chore: add cache-dependency-path for Go setup in CodeQL workflow 2025-12-24 17:41:22 +00:00
GitHub Actions
70bd60dbce chore: Implement CodeQL CI Alignment and Security Scanning 
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings.
- Created CodeQL security scanning guide in documentation, outlining usage and common issues.
- Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits.
- Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations.
- Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
 2025-12-24 14:35:33 +00:00
Jeremy
08868becca Merge pull request #449 from Wikid82/feature/issue-365-additional-security 
Feature/issue 365 additional security
 2025-12-23 02:03:12 -05:00
Jeremy
606acb1922 Merge branch 'development' into feature/issue-365-additional-security 2025-12-23 01:06:32 -05:00
renovate[bot]
c18c85b995 chore(deps): update renovatebot/github-action action to v44.2.1 2025-12-23 05:56:17 +00:00
Jeremy
5cd578bcb9 Merge branch 'development' into feature/issue-365-additional-security 2025-12-21 23:06:36 -05:00
renovate[bot]
8311d68ddd chore(deps): update docker/setup-buildx-action action to v3.12.0 (#443) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-12-22 04:04:01 +00:00
GitHub Actions
9e599ce06f feat: allow workflow to trigger on feature branches 2025-12-21 19:54:59 +00:00
GitHub Actions
2dfe7ee241 feat: add additional security enhancements (Issue #365) 
- Add constant-time token comparison utility (crypto/subtle)
- Add SBOM generation and attestation to CI/CD pipeline
- Document TLS enforcement, DNS security (DoH/DoT), and container hardening
- Create Security Incident Response Plan (SIRP)
- Add security update notification documentation

Security enhancements:
- Mitigates timing attacks on invite token validation
- Provides supply chain transparency with CycloneDX SBOM
- Documents production container hardening (read_only, cap_drop)

Closes #365
 2025-12-21 19:00:29 +00:00
GitHub Actions
f640524baa chore: remove docker-publish workflow file 2025-12-21 15:11:25 +00:00
GitHub Actions
af8384046c chore: implement instruction compliance remediation 
- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs

Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected

Refs: docs/plans/instruction_compliance_spec.md
 2025-12-21 04:08:42 +00:00
GitHub Actions
fd9d09b341 fix: add timeouts to Docker container run and CrowdSec hub update for improved reliability 2025-12-19 18:55:48 +00:00
GitHub Actions
193ba124c7 fix: correct extraction of expr-lang version from caddy_deps.txt 2025-12-18 00:17:12 +00:00
GitHub Actions
ed7dc3f904 fix: update regex for expr-lang version check to ensure accurate vulnerability assessment 2025-12-18 00:05:31 +00:00
GitHub Actions
761d59c7e9 fix: add timeout to Caddy version verification step to prevent hangs 2025-12-17 23:58:40 +00:00
GitHub Actions
bc23eb3800 fix: add timeout to integration tests to prevent CI hangs 
- Add timeout-minutes: 5 to docker-build.yml integration test step
- Add set -o pipefail to integration-test.sh
- Add 4-minute timeout wrapper (INTEGRATION_TEST_TIMEOUT env var)

Resolves hang after Caddy TLS cleanup in GitHub Actions run #20319807650
 2025-12-17 23:41:27 +00:00
GitHub Actions
76895a9674 fix: load Docker image for PR events to resolve CI failure 2025-12-17 22:52:56 +00:00
GitHub Actions
6d18854e92 fix: use PR number instead of ref_name for Docker image tags 
GitHub's github.ref_name returns "421/merge" for PR merge refs,
creating invalid Docker tags like "pr-421/merge". Docker tags
cannot contain forward slashes.

Changed to use github.event.pull_request.number which returns
just the PR number (e.g., "421") for valid tags like "pr-421".

Fixes CI/CD failure in PR #421.
 2025-12-17 20:00:44 +00:00
GitHub Actions
942901fb9a fix: remove Caddy version check that hangs build (CVE-2025-68156) 2025-12-17 18:37:20 +00:00
Jeremy
3a3dccbb5a Merge branch 'development' into renovate/github-codeql-action-4.x 2025-12-17 09:31:09 -05:00
renovate[bot]
793315336a chore(deps): update github/codeql-action action to v4.31.9 2025-12-17 14:25:51 +00:00
renovate[bot]
711ed07df7 chore(deps): update github/codeql-action digest to 5d4e8d1 2025-12-17 14:25:45 +00:00
renovate[bot]
7f3cdb8011 chore(deps): update renovatebot/github-action action to v44.2.0 2025-12-16 15:17:40 +00:00
Jeremy
5376f28a64 Merge branch 'development' into renovate/node-24.x 2025-12-14 02:32:44 -05:00
Jeremy
2b36bd41fb Merge branch 'development' into renovate/node-22.x 2025-12-14 02:32:10 -05:00
Jeremy
d0c6061544 Merge branch 'development' into renovate/major-6-github-artifact-actions 2025-12-14 02:31:43 -05:00
renovate[bot]
df59d98289 chore(deps): update dependency node to v24 2025-12-14 07:31:33 +00:00
renovate[bot]
d63a08d6a2 chore(deps): update dependency node to v22 2025-12-14 07:31:30 +00:00
Jeremy
f1bd20ea9b Merge branch 'development' into renovate/major-5-github-artifact-actions 2025-12-14 02:31:02 -05:00
Jeremy
33fa5e7f94 Merge branch 'development' into renovate/node-20.x 2025-12-14 02:03:17 -05:00
renovate[bot]
85fd287b34 chore(deps): update actions/upload-artifact action to v6 2025-12-14 07:01:59 +00:00
renovate[bot]
c19c4d4ff0 chore(deps): update actions/upload-artifact action to v5 2025-12-14 07:01:56 +00:00
Jeremy
8f6ebf6107 Merge branch 'development' into renovate/go-1.x 2025-12-14 02:01:51 -05:00
renovate[bot]
7c4b0002b5 chore(deps): update dependency node to v20.19.6 2025-12-14 06:43:40 +00:00
renovate[bot]
0600f9da2a chore(deps): update dependency go to v1.25.5 2025-12-14 06:43:33 +00:00
renovate[bot]
e66404c817 chore(deps): pin actions/upload-artifact action to ea165f8 2025-12-14 06:43:09 +00:00
GitHub Actions
18868a47fc fix: add pull:true to docker-publish for fresh base images 
The docker-publish.yml workflow was missing pull:true, causing it
to use cached Alpine images with vulnerable c-ares 1.34.5-r0.

This completes the fix across all three Docker workflows:
- docker-build.yml ✓
- docker-publish.yml ✓ (this commit)
- security-weekly-rebuild.yml ✓

Resolves CVE-2025-62408 (c-ares)
 2025-12-14 06:28:47 +00:00
GitHub Actions
cb5bd01a93 fix: add pull:true to docker-build to ensure fresh base images 
Ensures all Docker builds pull fresh Alpine base images to get
security patches like c-ares 1.34.6-r0 (CVE-2025-62408).

This mirrors the change made to security-weekly-rebuild.yml.
 2025-12-14 06:18:42 +00:00
GitHub Actions
72ebde31ce fix: add pull:true to security rebuild to fetch fresh base images 
Without pull:true, the weekly security rebuild may use stale base
images cached on GitHub runners, missing security patches like
c-ares 1.34.6-r0 (CVE-2025-62408).
 2025-12-14 05:21:15 +00:00
GitHub Actions
7c79bf066a fix: update security package check to include apk update for accurate version info 2025-12-14 05:12:01 +00:00
GitHub Actions
394ada14f3 fix: update Docker run command to remove entrypoint for security package checks 2025-12-14 04:36:39 +00:00