taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 12:40:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
219 Commits 3 Branches 38 Tags
4ec963d41c402e38620d2f46195189ed05a56238
Commit Graph

5 Commits

Author SHA1 Message Date
devitway
fa2cd45ed3 security: harden Docker registry and container runtime 
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
 2026-03-19 08:29:28 +00:00
devitway
ccaf543bcc security: pin Docker base images by SHA, cosign signing in release, branch protection 
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
 2026-03-18 09:49:45 +00:00
devitway
6ad710ff32 ci: add security scanning and SBOM to release pipeline 
- ci.yml: add security job (gitleaks, cargo-audit, cargo-deny, trivy fs)
- release.yml: restructure into build-binary + build-docker matrix + release
  - build binary once on self-hosted, reuse across all Docker builds
  - trivy image scan per matrix variant, results to GitHub Security tab
  - SBOM generation in SPDX and CycloneDX formats attached to release
- deny.toml: cargo-deny policy (allowed licenses, banned openssl, crates.io only)
- Dockerfile: remove Rust build stage, use pre-built binary
- Dockerfile.astra, Dockerfile.redos: FROM scratch for Russian certified OS support
 2026-02-23 11:37:27 +00:00
DevITWay
a19477c424 ci: add GitHub Actions workflow for Docker releases 
- Run tests on PR and push
- Build multi-arch images (amd64, arm64)
- Push to ghcr.io on main branch and tags
- Auto-create GitHub Release on version tags
- Use BuildKit cache for faster builds
 2026-01-26 00:34:00 +00:00
DevITWay
586420a476 feat: initialize NORA artifact registry 
Cloud-native multi-protocol artifact registry in Rust.

- Docker Registry v2
- Maven (+ proxy)
- npm (+ proxy)
- Cargo, PyPI
- Web UI, Swagger, Prometheus
- Local & S3 storage
- 32MB Docker image

Created by DevITWay
https://getnora.io
 2026-01-25 17:33:15 +00:00