58d14a820e
docs: remove hardcoded scorecard version from README
2026-03-20 11:35:14 +00:00
ef5f4e52c3
docs: restructure README for conversion
...
- Move badges from top to Security & Trust section
- Add dashboard GIF (EN/RU crossfade) as first visual
- Add "Why NORA" section with key differentiators
- Add "Used by" production reference
- Add binary install option
- Add Supported Registries table with mount points
- Streamline features into scannable list
- Remove emoji from footer
- Add comparison link placeholder
2026-03-20 11:25:32 +00:00
35e930295c
test: add 82 unit tests across 7 modules
...
Coverage targets:
- activity_log: ActionType display, ActivityLog push/recent/all/bounded
- audit: AuditEntry, AuditLog write/read with tempdir
- config: defaults for all sub-configs, env overrides, TOML parsing
- dashboard_metrics: record_download/upload, cache_hit_rate, persistence
- error: constructors, Display, IntoResponse for all variants
- metrics: detect_registry for all protocol paths
- repo_index: paginate, RegistryIndex basics, RepoIndex invalidate
Total tests: 103 -> 185
2026-03-20 10:08:49 +00:00
3246bd9ffd
ci: add test coverage with tarpaulin and dynamic badge via gist
2026-03-20 09:32:22 +00:00
cfa6a4d0ed
chore: remove internal QA scripts from public repo
2026-03-19 12:42:53 +00:00
79fa8e0d4a
chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts
2026-03-19 12:39:58 +00:00
b23765bebd
fix: update cosign-installer SHA to v3.8.0
2026-03-19 11:42:53 +00:00
b91c5531b6
release: bump version to v0.2.33 ( #46 )
2026-03-19 11:41:06 +00:00
596b18a3fa
release: bump version to v0.2.33
2026-03-19 11:08:51 +00:00
07aed45518
fix: use tag for codeql-action in scorecard (webapp rejects SHA pins)
2026-03-19 10:42:14 +00:00
4ec963d41c
fix: add repo_token and permissions to scorecard workflow
2026-03-19 10:35:57 +00:00
7f7e3e4986
fix: revert scorecard-action to tag (Docker action incompatible with SHA pin)
2026-03-19 10:33:27 +00:00
d51f176fd8
fix: use commit SHA for scorecard-action (not tag SHA)
2026-03-19 09:21:29 +00:00
34d30433cb
fix: correct scorecard-action SHA pin for v2.4.3
2026-03-19 09:19:41 +00:00
a6db016d7d
ci: retrigger scorecard workflow
2026-03-19 09:18:00 +00:00
fbd2aa35e8
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
fa2cd45ed3
security: harden Docker registry and container runtime
...
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-03-19 08:29:28 +00:00
f76dab1184
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
e6043a6e2f
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
54a08153f1
docs: add public roadmap, cosign verification in install script
2026-03-18 12:36:51 +00:00
a36287a627
community: add issue/PR templates, code of conduct, update contributing guide
2026-03-18 12:22:10 +00:00
eb1b8db01e
chore: remove unused crates and demo traffic scripts
...
- Remove nora-cli (unimplemented stub)
- Remove nora-storage (standalone S3 server, not used)
- Remove demo traffic generator and systemd service
2026-03-18 12:19:58 +00:00
58f98949e4
style: clean up code comments
2026-03-18 11:23:11 +00:00
67b55fba92
chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets
...
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
2026-03-18 11:20:22 +00:00
e38e4ab4fb
test: E2E smoke tests + Playwright browser tests (23 tests)
...
smoke.sh:
- Full E2E smoke test: health, npm proxy/publish/security, Maven, PyPI, Docker, Raw, UI, mirror CLI
- Self-contained: starts NORA, runs tests, cleans up
Playwright (tests/e2e/):
- Dashboard: page load, registry sections visible, npm count > 0, Docker stats
- npm: URL rewriting, scoped packages, tarball download, publish, immutability, security
- Docker: v2 check, catalog, manifest push/pull, tags list
- Maven: proxy download, upload
- PyPI: simple index, package page
- Raw: upload and download
- Health, metrics, OpenAPI endpoints
All 23 tests pass in 4.7s against live NORA instance.
2026-03-18 11:04:19 +00:00
3fe2ae166d
docs: add CII Best Practices passing badge
2026-03-18 10:46:51 +00:00
ccaf543bcc
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
68ed6546c8
docs: changelog v0.2.32
2026-03-18 09:43:49 +00:00
eccb80c7f2
fix: allow NCSA license for libfuzzer-sys in cargo-deny
2026-03-18 09:27:30 +00:00
f27b59b5a8
fix: add MIT license to nora-fuzz crate (cargo-deny compliance)
2026-03-18 09:23:31 +00:00
3fc57cc351
fix: correct cargo-deny key for unused license allowance
2026-03-18 09:19:50 +00:00
698b8d66ca
fix: allow unused license entries in cargo-deny config
2026-03-18 09:15:25 +00:00
9de623a14e
fix: Docker dashboard for namespaced images, library/ auto-prepend for Hub official images (v0.2.32)
...
Docker dashboard:
- build_docker_index now finds manifests segment by position, not fixed index
- Correctly indexes library/alpine, grafana/grafana, and other namespaced images
Docker proxy:
- Auto-prepend library/ for single-segment names when upstream returns 404
- Applies to both manifests and blobs
- nginx, alpine, node now work without explicit library/ prefix
- Cached under original name for future local hits
2026-03-18 08:07:53 +00:00
cb37813f11
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
bc9604bac3
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
15d12d073a
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
f1259e49b2
docs: add OpenSSF Scorecard badge
2026-03-17 10:41:00 +00:00
0727b421a9
Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23
...
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
2026-03-17 13:38:22 +03:00
22b01c9d78
Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0
...
chore(deps): bump clap from 4.5.60 to 4.6.0
2026-03-17 13:38:20 +03:00
73f3994b80
Merge pull request #30 from getnora-io/dependabot/cargo/tempfile-3.27.0
...
chore(deps): bump tempfile from 3.26.0 to 3.27.0
2026-03-17 13:38:17 +03:00
debf31d4b9
Merge pull request #33 from getnora-io/security/scorecard-hardening
...
security: OpenSSF Scorecard hardening
2026-03-17 13:36:40 +03:00
7df118d488
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
dependabot[bot]
fd1a4c5fd5
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
...
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing ) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases )
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23 )
---
updated-dependencies:
- dependency-name: tracing-subscriber
dependency-version: 0.3.23
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:13 +00:00
dependabot[bot]
d3df26b61a
chore(deps): bump clap from 4.5.60 to 4.6.0
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:03 +00:00
dependabot[bot]
1d61f50ab0
chore(deps): bump tempfile from 3.26.0 to 3.27.0
...
Bumps [tempfile](https://github.com/Stebalien/tempfile ) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0 )
---
updated-dependencies:
- dependency-name: tempfile
dependency-version: 3.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:24:55 +00:00
8646926294
docs: Russian documentation — admin guide, user guide, technical spec (Минцифры)
2026-03-16 13:58:17 +00:00
c7e15b47aa
docs: add CycloneDX SBOM (238 components, 0 vulnerabilities)
2026-03-16 13:29:59 +00:00
b7d303bf54
feat: nora mirror CLI + systemd + install script
...
nora mirror:
- Pre-fetch dependencies through NORA proxy cache
- npm: --lockfile (v1/v2/v3) and --packages with --all-versions
- pip: requirements.txt parser
- cargo: Cargo.lock parser
- maven: dependency:list output parser
- Concurrent downloads (--concurrency, default 8)
- Progress bar with indicatif
- Health check before start
dist/:
- nora.service — systemd unit with security hardening
- nora.env.example — environment configuration template
- install.sh — automated install (binary + user + systemd + config)
Tested: 103 tests pass, 0 clippy warnings, cargo audit clean.
Smoke: mirrored 70 npm packages from real lockfile in 5.4s.
2026-03-16 13:27:37 +00:00
82ea93d07f
docs: changelog v0.2.31
2026-03-16 12:51:10 +00:00
01027888cb
feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)
...
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
2026-03-16 12:32:16 +00:00
