feat: Add CI security and supply-chain scanning (Issue #37)#83
Open
anota-fernandocosta wants to merge 8 commits into
Open
feat: Add CI security and supply-chain scanning (Issue #37)#83anota-fernandocosta wants to merge 8 commits into
anota-fernandocosta wants to merge 8 commits into
Conversation
Contributor
Author
Code Review: Changes Requested
CI YAML structure correct. Fix 1 and 2 then merge. |
This was referenced Jun 19, 2026
35a8f6f to
101a417
Compare
This was referenced Jun 21, 2026
a0e4888 to
b2650ca
Compare
Add a govulncheck job to .github/workflows/ci.yaml that scans Go dependencies for known vulnerabilities using the Go vulncheck tool. The job uses a matrix strategy over [api, client, cli] matching the existing build-and-test pattern. - Uses actions/setup-go@v5 with Go 1.23 - Runs: go run golang.org/x/vuln/cmd/govulncheck@latest ./... - working-directory scoped per module - fail-fast: false so all modules are scanned - govulncheck exits non-zero on findings by default Co-Authored-By: Tamandua <tamandua@tetradactyla.org>
Add a gosec job to .github/workflows/ci.yaml using the same matrix strategy (api, client, cli) as build-and-test and govulncheck. The job installs gosec from github.com/securego/gosec/v2/cmd/gosec@latest and runs with -severity high -quiet, mirroring the Makefile check-sec target but scoped to HIGH severity only. Also add ci_validation_test.go in cli/config/ with tests that verify: - gosec job exists in ci.yaml - Matrix covers [api, client, cli] - Uses actions/setup-go@v5 with Go 1.23 - Runs gosec with -severity high -quiet flags - All existing CI jobs are preserved Co-Authored-By: Tamandua <tamandua@tetradactyla.org>
Add trivy-scan job to CI workflow that scans api.Dockerfile and client.Dockerfile container images for HIGH and CRITICAL CVEs using aquasecurity/trivy-action@master. Matrix strategy over both images. Scanner Dockerfiles excluded to keep CI runtime reasonable. Co-Authored-By: Tamandua <tamandua@tetradactyla.org>
Co-Authored-By: Tamandua <tamandua@tetradactyla.org>
…v0.36.0 - golangci-lint-action v9.x targets Node 24 runtime, resolving the Node 20 deprecation warning from GitHub Actions runners - Pin aquasecurity/trivy-action from mutable @master to v0.36.0 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- actions/checkout@v5 upgraded to Node 24 (from v4's Node 20) - actions/setup-go@v6 upgraded to Node 24 (from v5's Node 20) - Eliminates the "Node 20 is being deprecated" warning across ALL jobs Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The client module requires Go 1.26 (go.mod declares go 1.26.0), and govulncheck@v1.4.0 requires go >= 1.25.0. Running these jobs with Go 1.23 caused the toolchain to auto-switch to go1.25, which then failed to compile go1.26 packages. Go 1.26 is forward-compatible and can compile all three modules (api@1.25, client@1.26, cli@1.23). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
b2650ca to
d170199
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements GitHub issue #37: CI lacks security and supply-chain scanning of the platform itself.
New CI Jobs
Three new security scanning jobs added to .github/workflows/ci.yaml:
govulncheck — Scans Go dependencies for known CVEs via the Go advisory database. Matrix over [api, client, cli]. Fails on any finding.
gosec — Static analysis for Go security issues. Matrix over [api, client, cli]. Fails on HIGH-severity findings only.
trivy-scan — Container image vulnerability scanning. Scans api and client Dockerfiles. Configured to fail on HIGH and CRITICAL CVEs. Scanner Dockerfiles are excluded to keep CI runtime reasonable.
Thresholds
Validation
Existing Jobs Preserved
All 5 original jobs remain unchanged: build-and-test, lint, docker-build, gitleaks-contract, deployment-shell.
Closes #37