Joders/SkyMoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
952684fc256466e40b3f9f1bb1df6bb148b9ee85
SkyMoney/tests-results-for-OWASP/A03-Software-Supply-Chain-Failures.md
Ricearoni1245 079b8b9492
All checks were successful
Deploy / deploy (push) Successful in 1m42s
Details
Security Tests / security-non-db (push) Successful in 20s
Details
Security Tests / security-db (push) Successful in 22s
Details
chore: root commit of OWSAP security testing/tightening
2026-03-01 20:46:47 -06:00

78 lines
2.1 KiB
Markdown
Raw Blame History

# A03: Software Supply Chain Failures
Last updated: March 1, 2026
## Findings addressed
1. Production dependency vulnerabilities were present in both API and web lockfiles.
2. Deploy pipeline had no explicit dependency vulnerability gate.
## Fixes implemented
1. Dependency remediation:
- Ran `npm audit fix` in `api` and `web`.
- Revalidated production dependencies are clean with `npm audit --omit=dev`.
2. Pipeline hardening:
- Added supply-chain check step in deploy workflow:
- `npm ci` + `npm audit --omit=dev --audit-level=high` for API and web.
- Updated checkout action from broad major tag to explicit release tag `v4.2.2`.
## Files changed
1. `.gitea/workflows/deploy.yml`
2. `api/package-lock.json`
3. `web/package-lock.json`
4. `api/tests/software-supply-chain-failures.test.ts`
5. `api/vitest.security.config.ts`
## Verification
### Production dependency vulnerability scans
Command:
```bash
cd api
npm audit --omit=dev --audit-level=high
cd ../web
npm audit --omit=dev --audit-level=high
```
Verified output:
- `found 0 vulnerabilities` (api)
- `found 0 vulnerabilities` (web)
### Workflow policy verification (automated)
Command:
```bash
cd api
npx vitest run -c vitest.security.config.ts tests/software-supply-chain-failures.test.ts
```
Verified output:
- Test Files: `1 passed (1)`
- Tests: `2 passed (2)`
Coverage in policy suite:
1. Deploy workflow includes dependency gate step for API and web.
2. Workflow requires `npm ci` and `npm audit --omit=dev --audit-level=high` for both projects.
3. `actions/checkout` remains pinned to an explicit release tag.
## Residual risks (not yet fully eliminated)
1. Base image tags are still mutable (`node:20-bookworm-slim`, `postgres:15`) and not digest-pinned.
2. `actions/checkout` is pinned to a release tag, not a full commit SHA.
3. No artifact signing/attestation verification (e.g., cosign/SLSA) in current deploy pipeline.
## Recommended next hardening steps
1. Pin container images by immutable digest in `Dockerfile`/`docker-compose.yml`.
2. Pin workflow actions to full commit SHAs.
3. Add SBOM generation and signature/attestation verification before deploy.
Reference in New Issue View Git Blame Copy Permalink