akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
6e0cb3f89a99fe052d431d3797326ba4bdd92fcd
Charon/.grype.yaml
GitHub Actions 261676f65d fix Add Quality Assurance & Security Audit Report for Nightly Workflow Implementation 
- Created a comprehensive QA report detailing the audit of three GitHub Actions workflows: propagate-changes.yml, nightly-build.yml, and supply-chain-verify.yml.
- Included sections on pre-commit hooks, YAML syntax validation, security audit findings, logic review, best practices compliance, and specific workflow analysis.
- Highlighted strengths, minor improvements, and recommendations for enhancing security and operational efficiency.
- Documented compliance with SLSA Level 2 and OWASP security best practices.
- Generated report date: 2026-01-13, with a next review scheduled after Phase 3 implementation or 90 days from deployment.
2026-01-16 03:30:53 +00:00

84 lines
3.3 KiB
YAML
Raw Blame History

# Grype vulnerability suppression configuration
# Automatically loaded by Grype for vulnerability scanning
# Review and update when upstream fixes are available
# Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
ignore:
# CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
# Severity: CRITICAL
# Package: zlib 1.3.1-r2 (Alpine Linux base image)
# Status: No upstream fix available as of 2026-01-16
#
# Vulnerability Details:
# - Global buffer overflow in TGZfname() function
# - Unbounded strcpy() allows attacker-controlled archive names
# - Can lead to memory corruption, DoS, potential RCE
#
# Risk Assessment: ACCEPTED (Low exploitability in Charon context)
# - Charon does not use untgz utility directly
# - No untrusted tar archive processing in application code
# - Attack surface limited to OS-level utilities
# - Multiple layers of containerization and isolation
#
# Mitigation:
# - Monitor Alpine Linux security feed daily for zlib patches
# - Container runs with minimal privileges (no-new-privileges)
# - Read-only filesystem where possible
# - Network isolation via Docker networks
#
# Review:
# - Daily checks for Alpine security updates
# - Automatic re-scan via CI/CD on every commit
# - Manual review scheduled for 2026-01-23 (7 days)
#
# Removal Criteria:
# - Alpine releases zlib 1.3.1-r3 or higher with CVE fix
# - OR upstream zlib project releases patched version
# - Remove this suppression immediately after fix available
#
# References:
# - CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-22184
# - Alpine Security: https://security.alpinelinux.org/
# - GitHub Issue: https://github.com/Wikid82/Charon/issues/TBD
- vulnerability: CVE-2026-22184
package:
name: zlib
version: "1.3.1-r2"
type: apk # Alpine package
reason: |
CRITICAL buffer overflow in untgz utility. No fix available from Alpine
as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
process untrusted tar archives. Attack surface limited to base OS utilities.
Monitoring Alpine security feed for upstream patch.
expiry: "2026-01-23" # Re-evaluate in 7 days
# Action items when this suppression expires:
# 1. Check Alpine security feed: https://security.alpinelinux.org/
# 2. Check zlib releases: https://github.com/madler/zlib/releases
# 3. If fix available: Update Dockerfile, rebuild, remove suppression
# 4. If no fix: Extend expiry by 7 days, document justification
# 5. If extended 3+ times: Escalate to security team for review
# Match exclusions (patterns to ignore during scanning)
# Use sparingly - prefer specific CVE suppressions above
match:
# Exclude test fixtures and example code from vulnerability scanning
exclude:
- path: "**/test/**"
- path: "**/tests/**"
- path: "**/testdata/**"
- path: "**/examples/**"
- path: "**/*_test.go"
# Output configuration (optional)
# These settings can be overridden via CLI flags
output:
# Report only HIGH and CRITICAL by default
# Medium/Low findings are still logged but don't fail the scan
fail-on-severity: high
# Check for configuration updates
# Grype automatically updates its vulnerability database
# Run `grype db update` manually to force an update
check-for-app-update: true
Reference in New Issue View Git Blame Copy Permalink