ci: supply-chain hardening — Dependabot, govulncheck, fuzz targets#70
Open
qiansheng91 wants to merge 1 commit into
Open
ci: supply-chain hardening — Dependabot, govulncheck, fuzz targets#70qiansheng91 wants to merge 1 commit into
qiansheng91 wants to merge 1 commit into
Conversation
Adds three input/dependency-robustness layers without changing the CI gate's
pass/fail contract:
- Dependabot (.github/dependabot.yml): weekly, grouped updates for gomod
(root + sdk/go), pip (tools), npm (web + docs), and github-actions. Grouped
to keep PR volume low. Security alerts are independent of this config, so
grouping version updates does not delay security fixes.
- govulncheck: `make vulncheck` target + a non-blocking CI step. Kept
non-blocking for now because most current findings are Go std-lib CVEs that
track the toolchain version (cleared by bumping Go), not the repo's own
deps. The comment notes to drop continue-on-error once findings are triaged.
- Fuzz targets on two untrusted-input surfaces:
- FuzzParse (internal/query): the SPL parser must never panic on arbitrary
input. Seed corpus runs on every `go test`.
- FuzzConfineImportPath (internal/umodel): the import-root confinement must
never accept a path that escapes the root. Seeds include traversal and
NUL bytes.
Both ran 2M+ executions under `-fuzz` with no crash; the seed corpora double
as fast regression tests in the normal suite.
Mr-Xzz
approved these changes
Jun 18, 2026
Mr-Xzz
left a comment
Mr-Xzz
left a comment
Collaborator
There was a problem hiding this comment.
Reviewed the Dependabot, govulncheck, and fuzz-target additions. The vulnerability scan is non-blocking and fuzz seeds run under normal go test without changing production behavior. No blocking findings from my pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three input/dependency-robustness layers, without changing the CI gate's pass/fail contract.
sdk/go), pip (tools), npm (web+docs), and github-actions. Grouped to keep PR volume low; security alerts are independent of this config, so grouping version updates does not delay security fixes.make vulnchecktarget plus a non-blocking CI step. Most current findings are Go std-lib CVEs that track the toolchain version (cleared by bumping Go), not the repo's own deps; the step comment notes to dropcontinue-on-erroronce findings are triaged.FuzzParse) and the import-path confinement (FuzzConfineImportPath). Seed corpora run on everygo test, doubling as fast regression tests.Verification: 2M+ fuzz executions per target with no panic or path escape; full suite green.