Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Findings Ledger CI / build-test (push) Has been cancelled
Findings Ledger CI / migration-validation (push) Has been cancelled
Findings Ledger CI / generate-manifest (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management. - Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management. - Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support. - Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
This commit is contained in:
master
@@ -630,6 +630,28 @@ PY
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: RLS policy validation
|
||||
id: rls
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Validating RLS policies"
|
||||
if [ -f deploy/postgres-validation/001_validate_rls.sql ]; then
|
||||
echo "RLS validation script found"
|
||||
# Check that all tenant-scoped schemas have RLS enabled
|
||||
SCHEMAS=("scheduler" "vex" "authority" "notify" "policy" "findings_ledger")
|
||||
for schema in "${SCHEMAS[@]}"; do
|
||||
echo "Checking RLS for schema: $schema"
|
||||
# Validate migration files exist
|
||||
if ls src/*/Migrations/*enable_rls*.sql 2>/dev/null | grep -q "$schema"; then
|
||||
echo " ✓ RLS migration exists for $schema"
|
||||
fi
|
||||
done
|
||||
echo "RLS validation passed (static check)"
|
||||
else
|
||||
echo "RLS validation script not found, skipping"
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload quality gate results
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
@@ -640,6 +662,122 @@ PY
|
||||
if-no-files-found: ignore
|
||||
retention-days: 14
|
||||
|
||||
security-testing:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: build-test
|
||||
if: github.event_name == 'pull_request' || github.event_name == 'schedule'
|
||||
permissions:
|
||||
contents: read
|
||||
env:
|
||||
DOTNET_VERSION: '10.0.100'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup .NET
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj
|
||||
|
||||
- name: Run OWASP security tests
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Running security tests"
|
||||
dotnet test tests/security/StellaOps.Security.Tests/StellaOps.Security.Tests.csproj \
|
||||
--no-restore \
|
||||
--logger "trx;LogFileName=security-tests.trx" \
|
||||
--results-directory ./security-test-results \
|
||||
--filter "Category=Security" \
|
||||
--verbosity normal
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Upload security test results
|
||||
uses: actions/upload-artifact@v4
|
||||
if: always()
|
||||
with:
|
||||
name: security-test-results
|
||||
path: security-test-results/
|
||||
if-no-files-found: ignore
|
||||
retention-days: 30
|
||||
|
||||
mutation-testing:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: build-test
|
||||
if: github.event_name == 'schedule' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'mutation-test'))
|
||||
permissions:
|
||||
contents: read
|
||||
env:
|
||||
DOTNET_VERSION: '10.0.100'
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup .NET
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: ${{ env.DOTNET_VERSION }}
|
||||
|
||||
- name: Restore tools
|
||||
run: dotnet tool restore
|
||||
|
||||
- name: Run mutation tests - Scanner.Core
|
||||
id: scanner-mutation
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Mutation testing Scanner.Core"
|
||||
cd src/Scanner/__Libraries/StellaOps.Scanner.Core
|
||||
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/scanner-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
|
||||
echo "::endgroup::"
|
||||
continue-on-error: true
|
||||
|
||||
- name: Run mutation tests - Policy.Engine
|
||||
id: policy-mutation
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Mutation testing Policy.Engine"
|
||||
cd src/Policy/__Libraries/StellaOps.Policy
|
||||
dotnet stryker --reporter json --reporter html --output ../../../mutation-results/policy-engine || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
|
||||
echo "::endgroup::"
|
||||
continue-on-error: true
|
||||
|
||||
- name: Run mutation tests - Authority.Core
|
||||
id: authority-mutation
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Mutation testing Authority.Core"
|
||||
cd src/Authority/StellaOps.Authority
|
||||
dotnet stryker --reporter json --reporter html --output ../../mutation-results/authority-core || echo "MUTATION_FAILED=true" >> $GITHUB_ENV
|
||||
echo "::endgroup::"
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload mutation results
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: mutation-testing-results
|
||||
path: mutation-results/
|
||||
if-no-files-found: ignore
|
||||
retention-days: 30
|
||||
|
||||
- name: Check mutation thresholds
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "Checking mutation score thresholds..."
|
||||
# Parse JSON results and check against thresholds
|
||||
if [ -f "mutation-results/scanner-core/mutation-report.json" ]; then
|
||||
SCORE=$(jq '.mutationScore // 0' mutation-results/scanner-core/mutation-report.json)
|
||||
echo "Scanner.Core mutation score: $SCORE%"
|
||||
if (( $(echo "$SCORE < 65" | bc -l) )); then
|
||||
echo "::error::Scanner.Core mutation score below threshold"
|
||||
fi
|
||||
fi
|
||||
|
||||
sealed-mode-ci:
|
||||
runs-on: ubuntu-22.04
|
||||
needs: build-test
|
||||
|
||||
Reference in New Issue
Block a user