536f6249a6
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Created CycloneDX and SPDX SBOM files for both reachable and unreachable images. - Added symbols.json detailing function entry and sink points in the WordPress code. - Included runtime traces for function calls in both reachable and unreachable scenarios. - Developed OpenVEX files indicating vulnerability status and justification for both cases. - Updated README for evaluator harness to guide integration with scanner output.
1.6 KiB
1.6 KiB
Sealed-Mode CI Harness
This harness supports DEVOPS-AIRGAP-57-002 by exercising services with the sealed flag, verifying that no outbound network traffic succeeds, and producing artefacts Authority can use for AUTH-AIRGAP-57-001 gating.
Workflow
- Run
./run-sealed-ci.shfrom this directory (the script now boots the stack, applies the iptables guard, and captures artefacts automatically). - The harness:
- Launches
sealed-mode-compose.ymlwith Authority/Signer/Attestor + Mongo. - Snapshots iptables, injects a
STELLAOPS_SEALEDchain intoDOCKER-USER/OUTPUT, and whitelists only loopback + RFC1918 ranges so container egress is denied. - Repeatedly polls
/healthzon5088/6088/7088to verify sealed-mode bindings stay healthy while egress is blocked. - Executes
egress_probe.py, which runs curl probes from inside the compose network to confirm off-cluster addresses are unreachable. - Writes logs, iptables counters, and the summary contract to
artifacts/sealed-mode-ci/<timestamp>.
- Launches
.gitea/workflows/build-test-deploy.ymlnow includes asealed-mode-cijob that runs this script on every push/PR and uploads the artefacts forAUTH-AIRGAP-57-001.
Outputs
authority.health.log,signer.health.log,attestor.health.logiptables-docker-user.txt,iptables-output.txtegress-probe.jsoncompose.log,compose.psauthority-sealed-ci.json(single file Authority uses to validate the run)
TODO
- Wire into offline kit smoke tests (DEVOPS-AIRGAP-58-001).
Refer to docs/security/dpop-mtls-rollout.md for cross-guild milestones.