From 0e794e2aaecf81da0c94c7531f686f32255d5fc7 Mon Sep 17 00:00:00 2001 From: Yutaka Hosoai Date: Tue, 24 Mar 2026 10:22:26 -0700 Subject: [PATCH 1/2] security enhancement --- .github/CODEOWNERS | 5 ++++ .github/dependabot.yml | 11 ++++++++ .github/workflows/release-binaries.yml | 8 ++++-- .github/workflows/release.yml | 38 +++++++++++++------------- .github/workflows/security-audit.yml | 23 ++++++++++++++++ .gitignore | 7 +++++ src/scan.rs | 15 ++++++---- src/utils/api.rs | 2 +- 8 files changed, 81 insertions(+), 28 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security-audit.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..84ea9ac --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# Require review for CI/CD and security-sensitive files +.github/ @Corgea/engineering +Cargo.toml @Corgea/engineering +Cargo.lock @Corgea/engineering +pyproject.toml @Corgea/engineering diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a1cd7d2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 0654da2..6e5d1a4 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -2,6 +2,8 @@ name: Native Binary Release on: push: + tags: + - '*' workflow_dispatch: inputs: tag: @@ -40,7 +42,7 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.tag || github.ref }} @@ -72,7 +74,7 @@ jobs: - name: Upload to GitHub Release (tags) if: startsWith(github.ref, 'refs/tags/') || inputs.tag != '' - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 with: tag_name: ${{ inputs.tag || github.ref_name }} files: "corgea-${{ matrix.target }}.zip" @@ -81,7 +83,7 @@ jobs: - name: Upload as Artifact (branches) if: ${{ !startsWith(github.ref, 'refs/tags/') && inputs.tag == '' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: binaries-${{ matrix.target }} path: "corgea-${{ matrix.target }}.zip" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c4d8c03..5b75f9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ on: permissions: contents: read + id-token: write jobs: linux-x86: @@ -30,9 +31,9 @@ jobs: target: x86 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: target: ${{ matrix.platform.target }} args: --release --out dist @@ -46,7 +47,7 @@ jobs: apt update -y && apt-get install -y libssl-dev openssl pkg-config musl-tools fi - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-linux-${{ matrix.platform.target }} path: dist @@ -61,14 +62,14 @@ jobs: - runner: windows-latest target: x86 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: target: ${{ matrix.platform.target }} args: --release --out dist - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-windows-${{ matrix.platform.target }} path: dist @@ -83,14 +84,14 @@ jobs: - runner: macos-14 target: aarch64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build wheels - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: target: ${{ matrix.platform.target }} args: --release --out dist - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-macos-${{ matrix.platform.target }} path: dist @@ -98,14 +99,14 @@ jobs: sdist: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Build sdist - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: command: sdist args: --out dist - name: Upload sdist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheels-sdist path: dist @@ -115,12 +116,11 @@ jobs: runs-on: ubuntu-latest if: "startsWith(github.ref, 'refs/tags/')" needs: [linux-x86, windows, macos, sdist] + environment: pypi steps: - - uses: actions/download-artifact@v4 - - name: Publish to PyPI - uses: PyO3/maturin-action@v1 - env: - MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }} + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: - command: upload - args: --non-interactive --skip-existing wheels-*/* + path: dist + merge-multiple: true + - name: Publish to PyPI + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml new file mode 100644 index 0000000..2a1846c --- /dev/null +++ b/.github/workflows/security-audit.yml @@ -0,0 +1,23 @@ +name: Security Audit + +on: + pull_request: + push: + branches: + - main + - master + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + cargo-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Install cargo-audit + run: cargo install cargo-audit + - name: Run cargo audit + run: cargo audit diff --git a/.gitignore b/.gitignore index 4afdf4d..56def93 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,10 @@ *.zip node_modules/ /packages/*/vendor/ + +.env* +*.pem +*.key +scan.json +test.json +src/test_data.swift diff --git a/src/scan.rs b/src/scan.rs index 6c72a8a..53a42f7 100644 --- a/src/scan.rs +++ b/src/scan.rs @@ -147,16 +147,16 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: let scan_upload_url = if repo_data.is_empty() { format!( - "{}/api/cli/scan-upload?token={}&engine={}&run_id={}&project={}&ci={}&ci_platform={}", base_url, token, scanner, run_id, project, in_ci, ci_platform + "{}/api/cli/scan-upload?engine={}&run_id={}&project={}&ci={}&ci_platform={}", base_url, scanner, run_id, project, in_ci, ci_platform ) } else { format!( - "{}/api/cli/scan-upload?token={}&engine={}&run_id={}&project={}&ci={}&ci_platform={}&repo_data={}", base_url, token, scanner, run_id, project, in_ci, ci_platform, repo_data + "{}/api/cli/scan-upload?engine={}&run_id={}&project={}&ci={}&ci_platform={}&repo_data={}", base_url, scanner, run_id, project, in_ci, ci_platform, repo_data ) }; let git_config_upload_url = format!( - "{}/api/cli/git-config-upload?token={}&run_id={}", base_url, token, run_id + "{}/api/cli/git-config-upload?run_id={}", base_url, run_id ); let client = utils::api::http_client(); @@ -177,7 +177,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: } let src_upload_url = format!( - "{}/api/cli/code-upload?token={}&run_id={}&path={}", base_url, token, run_id, path + "{}/api/cli/code-upload?run_id={}&path={}", base_url, run_id, path ); debug(&format!("Uploading file: {}", path)); let fp = Path::new(&path); @@ -192,6 +192,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: debug(&format!("POST: {}", src_upload_url)); let res = client.post(&src_upload_url) + .header("CORGEA-TOKEN", &token) .multipart(form) .send(); @@ -241,6 +242,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: for (index, chunk) in input_bytes.chunks(chunk_size).enumerate() { debug(&format!("POST: {} (chunk {}/{})", scan_upload_url, index + 1, total_chunks)); let response = client.post(&scan_upload_url) + .header("CORGEA-TOKEN", &token) .header(header::CONTENT_TYPE, "application/json") .header("Upload-Offset", offset.to_string()) .header("Upload-Length", input_size.to_string()) @@ -261,6 +263,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: } else { debug(&format!("POST: {}", scan_upload_url)); client.post(&scan_upload_url) + .header("CORGEA-TOKEN", &token) .header(header::CONTENT_TYPE, "application/json") .body(input.clone()) .send() @@ -326,6 +329,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: debug(&format!("POST: {}", git_config_upload_url)); let res = client.post(&git_config_upload_url) + .header("CORGEA-TOKEN", &token) .multipart(form) .send(); @@ -343,7 +347,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: if in_ci { let ci_data_upload_url = format!( - "{}/api/cli/ci-data-upload?token={}&run_id={}&platform={}", base_url, token, run_id, ci_platform + "{}/api/cli/ci-data-upload?run_id={}&platform={}", base_url, run_id, ci_platform ); let mut github_env_vars_json = serde_json::Map::new(); @@ -361,6 +365,7 @@ pub fn upload_scan(config: &Config, paths: Vec, scanner: String, input: debug(&format!("POST: {}", ci_data_upload_url)); let _res = client.post(ci_data_upload_url) + .header("CORGEA-TOKEN", &token) .header(header::CONTENT_TYPE, "application/json") .body(github_env_vars_json_string) .send(); diff --git a/src/utils/api.rs b/src/utils/api.rs index e2b50db..a7b904f 100644 --- a/src/utils/api.rs +++ b/src/utils/api.rs @@ -605,7 +605,7 @@ pub fn get_sca_issues( debug(&format!("Sending request to URL: {}", endpoint)); debug(&format!("Query params: {:?}", query_params)); - debug(&format!("Token: {}", token)); + debug(&format!("Token: ...{}", &token[token.len().saturating_sub(4)..])); let response = client .get(&endpoint) From c4315ec38a859e58e6428aabf2da17d16a62d43c Mon Sep 17 00:00:00 2001 From: Yutaka Hosoai Date: Tue, 24 Mar 2026 11:50:28 -0700 Subject: [PATCH 2/2] keep triggering release-binary on each push --- .github/workflows/release-binaries.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 6e5d1a4..11a19d8 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -2,8 +2,6 @@ name: Native Binary Release on: push: - tags: - - '*' workflow_dispatch: inputs: tag: