security: make CI gates blocking, add smoke test, clean up dead code

- gitleaks, cargo audit, trivy fs now block pipeline on findings - add smoke test (docker run + curl /health) in release workflow - deny.toml: add review date to RUSTSEC-2025-0119 ignore - remove unused validation functions (maven, npm, crate) - replace blanket #![allow(dead_code)] with targeted allows
2026-04-12 06:50:31 +00:00 · 2026-03-15 19:25:00 +00:00
parent d886426957
commit 233b83f902
8 changed files with 27 additions and 67 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,16 +51,14 @@ jobs:
        run: |
          curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
            | tar xz -C /usr/local/bin gitleaks
-          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif || true
-        continue-on-error: true  # findings are reported, do not block the pipeline
+          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif

      # ── CVE in Rust dependencies ────────────────────────────────────────────
      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: cargo audit — RustSec advisory database
-        run: cargo audit
-        continue-on-error: true  # warn only; known CVEs should not block CI until triaged
+        run: cargo audit --ignore RUSTSEC-2025-0119  # known: number_prefix via indicatif

      # ── Licenses, banned crates, supply chain policy ────────────────────────
      - name: cargo deny — licenses and banned crates
@@ -79,7 +77,7 @@ jobs:
          format: sarif
          output: trivy-fs.sarif
          severity: HIGH,CRITICAL
-          exit-code: 0  # warn only; change to 1 to block the pipeline
+          exit-code: 1  # block pipeline on HIGH/CRITICAL vulnerabilities

      - name: Upload Trivy fs results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -127,6 +127,17 @@ jobs:
          cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
          cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max

+      # ── Smoke test ──────────────────────────────────────────────────────────
+      - name: Smoke test — verify alpine image starts and responds
+        run: |
+          docker run --rm -d --name nora-smoke -p 5555:5000 \
+            ${{ env.NORA }}/${{ env.IMAGE_NAME }}:latest
+          for i in $(seq 1 10); do
+            curl -sf http://localhost:5555/health && break || sleep 2
+          done
+          curl -sf http://localhost:5555/health
+          docker stop nora-smoke
+
  scan:
    name: Scan (${{ matrix.name }})
    runs-on: [self-hosted, nora]