Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a6d7d0cb039cbfbd4be41b7e80851cf4c42e884
SkyMoney/tests-results-for-OWASP/A03-Software-Supply-Chain-Failures.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

2.1 KiB
Raw Blame History

A03: Software Supply Chain Failures

Last updated: March 1, 2026

Findings addressed

  1. Production dependency vulnerabilities were present in both API and web lockfiles.
  2. Deploy pipeline had no explicit dependency vulnerability gate.

Fixes implemented

  1. Dependency remediation:
  • Ran npm audit fix in api and web.
  • Revalidated production dependencies are clean with npm audit --omit=dev.
  1. Pipeline hardening:
  • Added supply-chain check step in deploy workflow:
    • npm ci + npm audit --omit=dev --audit-level=high for API and web.
  • Updated checkout action from broad major tag to explicit release tag v4.2.2.

Files changed

  1. .gitea/workflows/deploy.yml
  2. api/package-lock.json
  3. web/package-lock.json
  4. api/tests/software-supply-chain-failures.test.ts
  5. api/vitest.security.config.ts

Verification

Production dependency vulnerability scans

Command:

cd api
npm audit --omit=dev --audit-level=high
cd ../web
npm audit --omit=dev --audit-level=high

Verified output:

  • found 0 vulnerabilities (api)
  • found 0 vulnerabilities (web)

Workflow policy verification (automated)

Command:

cd api
npx vitest run -c vitest.security.config.ts tests/software-supply-chain-failures.test.ts

Verified output:

  • Test Files: 1 passed (1)
  • Tests: 2 passed (2)

Coverage in policy suite:

  1. Deploy workflow includes dependency gate step for API and web.
  2. Workflow requires npm ci and npm audit --omit=dev --audit-level=high for both projects.
  3. actions/checkout remains pinned to an explicit release tag.

Residual risks (not yet fully eliminated)

  1. Base image tags are still mutable (node:20-bookworm-slim, postgres:15) and not digest-pinned.
  2. actions/checkout is pinned to a release tag, not a full commit SHA.
  3. No artifact signing/attestation verification (e.g., cosign/SLSA) in current deploy pipeline.

Recommended next hardening steps

  1. Pin container images by immutable digest in Dockerfile/docker-compose.yml.
  2. Pin workflow actions to full commit SHAs.
  3. Add SBOM generation and signature/attestation verification before deploy.
Reference in New Issue View Git Blame Copy Permalink