security: pin the gitleaks download with a SHA-256 checksum#483
Conversation
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: feaed83814
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Go toolchain/dependencies to address reported CVEs and strengthens the CI security workflow by making security scanners more tamper-resistant and stricter.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Changes:
- Add
toolchain go1.26.3and bumpgolang.org/x/net(and related indirect sums) to newer patched versions. - Harden gitleaks installation in CI by verifying the downloaded release tarball against a pinned SHA-256.
- Tighten the standalone gosec CI job by removing
-no-failand excluding the existing accepted baseline rule set.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
go.mod |
Pins the Go toolchain and bumps indirect x/net / x/term versions. |
go.sum |
Updates module checksums to match the bumped indirect dependencies. |
.github/workflows/security.yml |
Hardens gitleaks install via checksum verification and turns gosec into a failing gate. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
e4a7a62 to
a3ff017
Compare
feaed83 to
3d62a58
Compare
a3ff017 to
c1d95a4
Compare
3d62a58 to
54c2ef1
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 54c2ef1b25
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
c1d95a4 to
fc26287
Compare
54c2ef1 to
6f3eab7
Compare
fc26287 to
7ae26db
Compare
6f3eab7 to
41c42c5
Compare
7ae26db to
36ba2ba
Compare
6ad366d to
5522054
Compare
|
We opened a small main-based PR with the minimal pieces needed to unblock main and the Nix install path: #508. That PR intentionally limits scope to:
Leaving the broader CI hardening/gitleaks/gosec work here for separate review. |
4598b69 to
49bdd62
Compare
5522054 to
054b4ec
Compare
49bdd62 to
5dae29c
Compare
054b4ec to
2f61d78
Compare
5dae29c to
479078d
Compare
2f61d78 to
5d8d60d
Compare
479078d to
fe86ea0
Compare
5d8d60d to
26cfe5f
Compare
Verify the gitleaks release tarball against a pinned SHA-256 before installing it in the secret-scanning workflow, so a compromised or tampered release asset cannot execute in CI. (Originally this PR also set toolchain go1.26.3 and bumped golang.org/x/net to v0.55.0 to clear govulncheck-reachable advisories; main has since moved to go 1.26.5 with those same dependency versions, so after rebasing the dependency changes are subsumed and only the gitleaks pin remains.) The standalone gosec scan stays advisory (-no-fail, full SARIF upload). Its enforcing counterpart is golangci-lint (make lint), which honors the repo's per-site //nolint:gosec suppressions; the standalone binary can't read those, and globally excluding rule IDs (e.g. G101/G204) to make it hard-fail would blind release scans to new hard-coded creds / unsafe exec.
| # SHA-256 of gitleaks_8.21.2_linux_x64.tar.gz (from the release | ||
| # checksums.txt). Pinning the artifact hash prevents a tampered or | ||
| # swapped release tarball from running in CI (supply-chain guard). |
Pin the gitleaks download with a SHA-256 checksum
(Threat: T5 supply chain — an unpinned release download means a compromised or tampered gitleaks release asset executes in CI.)
gitleaks pinning: the secret-scanning workflow now verifies the gitleaks release tarball against a pinned SHA-256 (from the release
checksums.txt) before installing it:gosec gate (unchanged, rationale documented): the standalone gosec scan stays advisory (
-no-fail, with full SARIF upload to the Security tab). Its enforcing counterpart isgolangci-lint(make lint), which honors the repo's per-site//nolint:gosecsuppressions; the standalone binary can't read those, and globally excluding rule IDs (e.g. G101/G204) to make it hard-fail would blind release scans to new hard-coded creds / unsafe exec.History
This PR originally also set
toolchain go1.26.3and bumpedgolang.org/x/netto v0.55.0 /golang.org/x/termto v0.43.0, takinggovulncheck ./...from 6 reachable advisories to "No vulnerabilities found." Main has since independently moved togo 1.26.5with those same dependency versions, so after rebasing onto current main the dependency changes are subsumed and only the gitleaks pin remains.Part 6/6 of the stacked security series. Base:
security/05-perms-and-exec-args.📚 Stack (merge bottom-up)
apito prevent token leak #478 — reject foreign-host URLs inapi(basemain)Each is independent except #482 depends on #481 (shared
root.go). #478 can land first/alone.Summary by cubic
Pins and verifies the
gitleaksv8.21.2 Linux tarball in CI using the release’s SHA-256 before extraction, preventing swapped or tampered downloads in the secret-scanning workflow. Thegosecstep remains advisory (-no-fail) with SARIF upload; enforcement continues viagolangci-lint.Written for commit 1af8f25. Summary will update on new commits.