Skip to content

Wave 3: Supply Chain & Build Hardening (GRA-79)#171

Open
graydeon wants to merge 2 commits intomainfrom
sec/wave-3-supply-chain
Open

Wave 3: Supply Chain & Build Hardening (GRA-79)#171
graydeon wants to merge 2 commits intomainfrom
sec/wave-3-supply-chain

Conversation

@graydeon
Copy link
Copy Markdown
Contributor

@graydeon graydeon commented Apr 23, 2026

Wave 3 — Supply Chain & Build Hardening

This PR implements Wave 3 of the security remediation initiative (GRA-79).

Changes

H-1: Dependency Pinning by Commit SHA

  • Require rev field for all git dependencies in gradient.toml
  • Validate SHA format (40-character hex)
  • Add archive_sha256 field to lockfile for downloaded archives

H-2: ZIP Extractor Security

  • Reject symlink entries in ZIP archives
  • Reject backslash separators and absolute Windows paths
  • Canonicalize output paths and verify they stay within destination

M-1: Package Name Validation

  • Validate [package].name against ^[a-zA-Z][a-zA-Z0-9_-]{0,63}$
  • Reject flag-shaped names starting with -

M-6: Supply Chain Guardrails

  • Add deny.toml with license, advisory, and ban checks
  • Add cargo-deny to CI security job
  • Add weekly scheduled cargo audit workflow (Sundays)

M-7: Reqwest Upgrade (OpenSSL Removal)

  • Upgrade reqwest 0.11 → 0.12
  • Use rustls-tls instead of OpenSSL
  • Add CI check to verify OpenSSL is not in dependency tree

L-2: Release Artifact Integrity

  • Generate SHA256SUMS for release binaries in install.sh
  • Print installed binary SHA256 hashes post-install

Changelog

Updated CHANGELOG.md with Wave 3 entries and backfilled Wave 2 entries (C-1, C-2).

Testing

  • CI passes (cargo-deny check)
  • OpenSSL not in dependency tree (cargo tree -i openssl)
  • Package name validation works

Fixes security findings: H-1, H-2, M-1, M-6, M-7, L-2

graydeon added 2 commits April 23, 2026 09:15
@graydeon
feat(security): Wave 3 supply chain & build hardening (GRA-79)
a609068 
- H-1: Require commit SHA for git deps; archive_sha256 in lockfile
- H-2: Harden ZIP extractor (symlinks, path traversal)
- M-1: Package name regex validation
- M-6: cargo-deny in CI, weekly cargo-audit
- M-7: reqwest 0.12 with rustls, drop OpenSSL
- L-2: SHA256SUMS generation in install.sh
@graydeon
build: Wave 3 supply chain hardening (ec56c06c-81c3-4c26-84ff-86485a4…
87e34cc 
…ff136)

- H-1: Enforce commit SHA in git dependencies
- H-2: ZIP extraction hardening (symlink rejection, path traversal protection)
- M-1: Package name validation with regex
- M-5: Replace system() with spawn() builtin
- M-6: cargo-deny + cargo-audit in CI
- M-7: reqwest 0.12 + rustls
- L-2: SHA256SUMS for release artifacts

All 58 tests passing, builds clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@graydeon