186855e892
ci: retrigger scorecard workflow
2026-03-19 09:18:00 +00:00
78dd91795d
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
c1f6430aa9
security: harden Docker registry and container runtime
...
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-03-19 08:29:28 +00:00
52e59a8272
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
8b1b9c8401
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
62027c44dc
docs: add public roadmap, cosign verification in install script
2026-03-18 12:36:51 +00:00
68365dfe98
community: add issue/PR templates, code of conduct, update contributing guide
2026-03-18 12:22:10 +00:00
59cdd4530b
chore: remove unused crates and demo traffic scripts
...
- Remove nora-cli (unimplemented stub)
- Remove nora-storage (standalone S3 server, not used)
- Remove demo traffic generator and systemd service
2026-03-18 12:19:58 +00:00
1cc5c8cc86
security: simplify public gitleaks config to generic network rules only
2026-03-18 11:57:21 +00:00
e2919b83de
security: extend leak detection — dev process patterns, soft warnings for borderline content
2026-03-18 11:49:25 +00:00
c035561fd2
security: custom gitleaks rules for internal information leak prevention
2026-03-18 11:42:52 +00:00
1a38902b0c
style: clean up code comments
2026-03-18 11:23:11 +00:00
3b9b2ee0a0
chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets
...
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
2026-03-18 11:20:22 +00:00
b7cb458edf
test: E2E smoke tests + Playwright browser tests (23 tests)
...
smoke.sh:
- Full E2E smoke test: health, npm proxy/publish/security, Maven, PyPI, Docker, Raw, UI, mirror CLI
- Self-contained: starts NORA, runs tests, cleans up
Playwright (tests/e2e/):
- Dashboard: page load, registry sections visible, npm count > 0, Docker stats
- npm: URL rewriting, scoped packages, tarball download, publish, immutability, security
- Docker: v2 check, catalog, manifest push/pull, tags list
- Maven: proxy download, upload
- PyPI: simple index, package page
- Raw: upload and download
- Health, metrics, OpenAPI endpoints
All 23 tests pass in 4.7s against live NORA instance.
2026-03-18 11:04:19 +00:00
e1a1d80a77
docs: add CII Best Practices passing badge
2026-03-18 10:46:51 +00:00
b50dd6386e
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
6b5a397862
docs: changelog v0.2.32
2026-03-18 09:43:49 +00:00
6b4d627fa2
fix: allow NCSA license for libfuzzer-sys in cargo-deny
2026-03-18 09:27:30 +00:00
659e7730de
fix: add MIT license to nora-fuzz crate (cargo-deny compliance)
2026-03-18 09:23:31 +00:00
d0441f31d1
fix: correct cargo-deny key for unused license allowance
2026-03-18 09:19:50 +00:00
1956401932
fix: allow unused license entries in cargo-deny config
2026-03-18 09:15:25 +00:00
e415f0f1ce
fix: Docker dashboard for namespaced images, library/ auto-prepend for Hub official images (v0.2.32)
...
Docker dashboard:
- build_docker_index now finds manifests segment by position, not fixed index
- Correctly indexes library/alpine, grafana/grafana, and other namespaced images
Docker proxy:
- Auto-prepend library/ for single-segment names when upstream returns 404
- Applies to both manifests and blobs
- nginx, alpine, node now work without explicit library/ prefix
- Cached under original name for future local hits
2026-03-18 08:07:53 +00:00
aa86633a04
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
31afa1f70b
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
f36abd82ef
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
ea6a86b0f1
docs: add OpenSSF Scorecard badge
2026-03-17 10:41:00 +00:00
638f99d8dc
Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23
...
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
2026-03-17 13:38:22 +03:00
c55307a3af
Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0
...
chore(deps): bump clap from 4.5.60 to 4.6.0
2026-03-17 13:38:20 +03:00
cc416f3adf
Merge pull request #30 from getnora-io/dependabot/cargo/tempfile-3.27.0
...
chore(deps): bump tempfile from 3.26.0 to 3.27.0
2026-03-17 13:38:17 +03:00
30aedac238
Merge pull request #33 from getnora-io/security/scorecard-hardening
...
security: OpenSSF Scorecard hardening
2026-03-17 13:36:40 +03:00
34e85acd6e
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
dependabot[bot]
41eefdd90d
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
...
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing ) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases )
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23 )
---
updated-dependencies:
- dependency-name: tracing-subscriber
dependency-version: 0.3.23
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:13 +00:00
dependabot[bot]
94ca418155
chore(deps): bump clap from 4.5.60 to 4.6.0
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:03 +00:00
dependabot[bot]
e72648a6c4
chore(deps): bump tempfile from 3.26.0 to 3.27.0
...
Bumps [tempfile](https://github.com/Stebalien/tempfile ) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0 )
---
updated-dependencies:
- dependency-name: tempfile
dependency-version: 3.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:24:55 +00:00
18e93d23a9
docs: Russian documentation — admin guide, user guide, technical spec (Минцифры)
2026-03-16 13:58:17 +00:00
db05adb060
docs: add CycloneDX SBOM (238 components, 0 vulnerabilities)
2026-03-16 13:29:59 +00:00
a57de6690e
feat: nora mirror CLI + systemd + install script
...
nora mirror:
- Pre-fetch dependencies through NORA proxy cache
- npm: --lockfile (v1/v2/v3) and --packages with --all-versions
- pip: requirements.txt parser
- cargo: Cargo.lock parser
- maven: dependency:list output parser
- Concurrent downloads (--concurrency, default 8)
- Progress bar with indicatif
- Health check before start
dist/:
- nora.service — systemd unit with security hardening
- nora.env.example — environment configuration template
- install.sh — automated install (binary + user + systemd + config)
Tested: 103 tests pass, 0 clippy warnings, cargo audit clean.
Smoke: mirrored 70 npm packages from real lockfile in 5.4s.
2026-03-16 13:27:37 +00:00
d3439ae33d
docs: changelog v0.2.31
2026-03-16 12:51:10 +00:00
b3b74b8b2d
feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)
...
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
2026-03-16 12:32:16 +00:00
d41b55fa3a
style: cargo fmt
2026-03-16 08:58:27 +00:00
5a68bfd695
fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30)
2026-03-16 08:55:33 +00:00
9c8fee5a5d
docs: rewrite README — new slogan, roadmap, trim TLS/FSTEC, fix config example
2026-03-16 07:39:43 +00:00
bbff337b4c
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
a73335c549
docs: trim README, link to docs site, fix website URL
2026-03-15 22:21:08 +00:00
ad6aba46b2
chore: remove internal release runbook from public repo
2026-03-15 21:57:05 +00:00
095270d113
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
769f5fb01d
docs: update CHANGELOG and README for v0.2.29 upstream auth
2026-03-15 21:50:14 +00:00
53884e143b
v0.2.29: upstream auth, remove dead code, version bump
...
- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29
2026-03-15 21:42:49 +00:00
0eb26f24f7
refactor: extract basic_auth_header helper, add plaintext credential warnings
...
- basic_auth_header() in config.rs replaces 6 inline STANDARD.encode calls
- warn_plaintext_credentials() logs warning at startup if auth is in config.toml
- All protocol handlers use shared helper instead of duplicating base64 logic
2026-03-15 21:37:51 +00:00
fa962b2d6e
feat: upstream auth for all protocols (Docker, Maven, npm, PyPI)
...
Wire up basic auth credentials for upstream registry proxying:
- Docker: pass configured auth to Bearer token requests
- Maven: support url|auth format in NORA_MAVEN_PROXIES env var
- npm: add NORA_NPM_PROXY_AUTH env var
- PyPI: add NORA_PYPI_PROXY_AUTH env var
- Mask credentials in logs (never log plaintext passwords)
Config examples:
NORA_DOCKER_UPSTREAMS="https://registry.corp.com |user:pass"
NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2 |user:pass"
NORA_NPM_PROXY_AUTH="user:pass"
NORA_PYPI_PROXY_AUTH="user:pass"
2026-03-15 21:29:20 +00:00
