Snider/Borg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Borg/AUDIT-CICD.md
Snider a98202797c feat: Harden CI/CD pipeline and fix release process 
This commit hardens the CI/CD pipeline and fixes the release process.

- Replaces the manual release process with `goreleaser` to streamline builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and remediation steps.
- Fixes a build failure by adding a placeholder for a missing demo file.
- Updates the `.goreleaser.yaml` to include WASM and console assets in the release, fixing a regression from the previous release process.
2026-02-02 01:53:34 +00:00

3.5 KiB
Raw Permalink Blame History

CI/CD Pipeline Security Audit

This document outlines the findings of a security audit of the CI/CD pipeline and the remediation steps taken to address them.

Summary

The CI/CD pipeline had several critical security vulnerabilities, including a lack of action pinning, excessive permissions, no artifact signing, and no automated dependency scanning. These issues have been addressed by implementing a series of security best practices, resulting in a significantly hardened and more secure CI/CD process.

Findings and Remediation

1. GitHub Actions Workflow Security

  • Finding: None of the GitHub Actions workflows (go.yml, mkdocs.yml, release.yml) pinned actions to a specific, immutable commit hash. They used floating tags (e.g., @v4), which exposes the build process to a potential supply chain attack if a third-party action's tag is compromised or maliciously updated.

  • Remediation: All actions in all workflows have been pinned to their full-length commit SHAs, ensuring that the exact version of the action is used in every run.

  • Finding: The mkdocs.yml and release.yml workflows used permissions: contents: write, granting them broad write access to the repository. This violated the principle of least privilege and posed a significant security risk.

  • Remediation: The contents: write permission was removed from mkdocs.yml, and the automated deployment step was disabled with a recommendation to use a more secure deploy key. In release.yml, the permissions were tightened to the minimum required for GoReleaser to publish a release and sign it with Sigstore (contents: write and id-token: write).

2. Release Artifact Security

  • Finding: Release artifacts were not cryptographically signed, making it impossible for users to verify their authenticity and integrity.

  • Remediation: The release process now uses GoReleaser with integrated Sigstore (cosign) support. All release artifacts and their checksums are now cryptographically signed using a keyless flow, allowing users to verify their origin and integrity.

  • Finding: The release process in release.yml was a manual, error-prone script. It also failed to use the project's existing .goreleaser.yaml configuration.

  • Remediation: The manual release steps have been replaced with the official goreleaser/goreleaser-action, which automates and standardizes the entire release process. The .goreleaser.yaml file has been updated to handle all build and release steps, including the creation of WASM and console assets that were previously handled manually.

3. Dependency Management

  • Finding: The repository had no mechanism for automated dependency scanning or updates, meaning the project could be using dependencies with known vulnerabilities.
  • Remediation: A .github/dependabot.yml file has been added to enable Dependabot. It is configured to check for updates to Go modules on a weekly basis, helping to keep the dependency supply chain secure.

4. Build System Integrity

  • Finding: The Go build process was failing because a file, pkg/player/frontend/demo-track.smsg, is required by a go:embed directive in the source code but was not present in the repository.
  • Remediation: An empty placeholder file was created at the required location. This allows the build to succeed while not affecting the functionality, as the file appears to be a demo asset. This is a common pattern when working with go:embed for assets that may not always be present.