[codex] Add nightly security sweep#195
Conversation
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 04b3df8a73
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| crates/registry-platform-oid4vci/*|crates/registry-platform-sdjwt/*) | ||
| return 0 | ||
| ;; | ||
| products/notary/*|products/platform/*|release/docker/*) |
There was a problem hiding this comment.
Scan release Dockerfiles before marking them covered
When the only relevant change is under release/docker/, this classifier schedules the nightly sweep, but the assurance job only runs dockerfile-secrets in crates/registry-relay and products/notary. Those checkers scan only their local Dockerfiles (crates/registry-relay/scripts/check_security_assurance.py:357-358 and products/notary/scripts/check_security_assurance.py:353-354), while the release workflow builds release/docker/Dockerfile.registry-* (.github/workflows/release.yml:363-365), so secret-copy regressions in the release images are never checked by the new sweep. Add those release Dockerfiles to a scan or stop treating this path as covered.
Useful? React with 👍 / 👎.
| crates/registry-platform-authcommon/*|crates/registry-platform-crypto/*) | ||
| return 0 | ||
| ;; | ||
| crates/registry-platform-oid4vci/*|crates/registry-platform-sdjwt/*) |
There was a problem hiding this comment.
Include replay changes in the security sweep
When a commit only touches crates/registry-platform-replay/..., this classifier falls through and the nightly sweep is skipped, even though registry-platform-oid4vci depends on that crate for replay handling (crates/registry-platform-oid4vci/Cargo.toml:16) and both fuzz lockfiles pull it in (products/platform/fuzz/Cargo.lock:1018, products/notary/fuzz/Cargo.lock:1548). In that context replay-protection changes bypass the nightly OID4VCI/Notary fuzz smoke entirely, so add crates/registry-platform-replay/* to the relevant path set.
Useful? React with 👍 / 👎.
Summary
Adds a root
Nightly SecurityGitHub Actions workflow that keeps the normal PR/push gate fast while running heavier security assurance and fuzz smoke checks on a nightly schedule.The scheduled run restores the last successful checked SHA from the workflow cache and skips when no relevant security or fuzz surface changed. Manual dispatch always runs the sweep.
What runs
Notes
The workflow intentionally does not add these checks to every PR or push. It also leaves the existing Notary full
manifestassurance check out of scope because that product-local check currently has a monorepo path issue for enforcement-test references; the deterministic Notary checks that are green locally are included.Checks
ruby -e 'require "yaml"; YAML.load_file(ARGV.fetch(0)); puts "yaml ok"' .github/workflows/nightly-security.ymlactionlint .github/workflows/nightly-security.ymlgit diff --checkpython3 -m unittest crates/registry-relay/tests/security_assurance_check_test.py crates/registry-relay/tests/advisory_baseline_check_test.py products/notary/tests/security_assurance_check_test.py products/notary/tests/advisory_baseline_check_test.py(cd crates/registry-relay && python3 scripts/check_security_assurance.py manifest && python3 scripts/check_security_assurance.py dockerfile-secrets)(cd products/notary && python3 scripts/check_security_assurance.py dockerfile-secrets && python3 scripts/check_security_assurance.py openapi-baseline)(cd products/notary && cargo +nightly fuzz list --fuzz-dir fuzz)(cd products/notary && cargo +nightly fuzz list --fuzz-dir ../platform/fuzz)