Snider/Borg
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
Borg/AUDIT-CICD.md
google-labs-jules[bot] b86e0c3e8e feat: Harden CI/CD pipeline security 
This commit hardens the CI/CD pipeline by addressing several security
vulnerabilities.

- Replaces the manual release process with `goreleaser` to streamline
  builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply
  chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and
  Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and
  remediation steps.

Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
2026-02-02 01:24:12 +00:00

3.2 KiB
Raw Blame History

CI/CD Pipeline Security Audit

This document outlines the findings of a security audit of the CI/CD pipeline.

Summary

The CI/CD pipeline had several security vulnerabilities that have now been addressed. The release process has been hardened, and the overall security posture of the pipeline has been significantly improved.

Initial Findings

GitHub Actions Workflow Security

  • Action Pinning: None of the GitHub Actions workflows pinned actions to a specific commit hash. This exposed the build process to a potential supply chain attack if a third-party action was compromised.
  • Excessive Permissions: The mkdocs.yml and release.yml workflows both used permissions: contents: write, which is a significant security risk. Workflows should follow the principle of least privilege.

Release Artifact Security

  • Lack of Signing: Release artifacts were not cryptographically signed. This made it impossible for users to verify the authenticity and integrity of the downloaded binaries.
  • Manual Build Process: The release.yml workflow used a manual, error-prone process to build and package release artifacts. The existing .goreleaser.yaml configuration was not being utilized.

Dependency Management

  • No Automated Scanning: There was no evidence of automated dependency scanning in the CI/CD pipeline. This meant that the project may have been using dependencies with known vulnerabilities.

Remediation

The following changes were made to address the identified security vulnerabilities:

  • release.yml Workflow:
    • The manual build process has been replaced with goreleaser, which is a more secure and reliable way to build and release Go projects.
    • All actions in the workflow are now pinned to a specific commit hash.
    • The workflow now has the id-token: write permission to allow for keyless signing with Sigstore.
  • .goreleaser.yaml Configuration:
    • A signs section has been added to the configuration to enable cryptographic signing of release artifacts using cosign and Sigstore's keyless signing.
  • mkdocs.yml Workflow:
    • All actions in the workflow are now pinned to a specific commit hash.
    • The contents: write permission and the mkdocs gh-deploy step have been removed.
  • go.yml Workflow:
    • All actions in the workflow are now pinned to a specific commit hash.
  • Dependabot:
    • A .github/dependabot.yml file has been added to enable automated dependency updates for Go modules. This will help to ensure that the project is not using dependencies with known vulnerabilities.

Recommendations

  • mkdocs.yml Deployment: To re-enable the automatic deployment of the mkdocs site, it is recommended to create a deploy key with write access to the gh-pages branch and add it as a secret to the repository. The mkdocs gh-deploy step can then be re-added to the workflow, using the deploy key for authentication.
  • demo-track.smsg: The build was failing due to a missing demo-track.smsg file. A workaround was implemented by creating an empty file. It is recommended to investigate the purpose of this file and the correct way to generate it.