feat: prod-readiness PR 3 of 5 — supply chain & bundle integrity#108
Merged
Conversation
…cret hygiene + scanner pin Third of 5 production-readiness PRs. Closes the air-gap drift, missing bundle integrity, and unpinned scanner-version audit findings. Why --- The bundle deployment model assumes an air-gapped target — but pre-PR-3 the launcher scripts fell back to `curl -fL https://repo1.maven.org/...` when the CLI JAR wasn't bundled, and bundles shipped without any integrity manifest. The `.gitignore` had narrow secret patterns, the `.dockerignore` had no secret patterns at all (and does NOT inherit `.gitignore`), and Semgrep ran unpinned (Scorecard Pinned-Dependencies flag). Changes ------- * **`codeiq bundle` SHA-256 manifest** (`BundleCommand`). Every entry is hashed via streaming `MessageDigest` as it writes through `ZipOutputStream` — no double-read for hundred-MB graph DBs. A final `checksums.sha256` entry in standard GNU coreutils format (`<64-hex> <path>` per line) lets receivers verify with `sha256sum -c checksums.sha256`. The manifest itself is excluded from itself (would be circular); receivers verify `checksums.sha256` integrity out-of-band (Sigstore / GPG / GitHub Release SHA-256). * **No public-internet calls in `serve.sh` / `serve.bat`**. The Maven Central download fallback is removed; both scripts fail fast with a "place the JAR in this directory or re-bundle with --include-jar" message. `serve.sh` automatically runs `sha256sum -c --quiet checksums.sha256` before launch (skip with CODEIQ_SKIP_VERIFY=1 for trusted internal flows). `serve.bat` does not yet have a Windows-native equivalent — tracked. * **Pinned Semgrep version** in `.github/workflows/security.yml`: `pip install semgrep` → `pip install 'semgrep==1.161.0'` (latest stable as of 2026-04-28). Bumps via Dependabot pip ecosystem. * **Tightened secret-pattern exclusions**. - `.gitignore`: `.env` / `.env.local` → `.env.*` (catches `.env.prod`, `.env.test`, ...) plus explicit globs for `*.jks`, `*.p12`, `*.pfx`, `*.keystore`, `id_{rsa,ecdsa,ed25519,dsa}`, `credentials.{json,yaml}`, `secrets.{json,yaml}`, `*.serviceaccount.json`. - `.dockerignore`: mirrors the same rules. Docker resolves COPY against the build context which includes untracked working-tree files; .dockerignore does not inherit .gitignore. * **Bundle verification runbook** in `shared/runbooks/release.md` §4a. Documents consumer-side `sha256sum -c` workflow with CODEIQ_SKIP_VERIFY semantics and the out-of-band signing pattern. Test coverage ------------- * `BundleCommandTest#bundleCreatesZipWithCorrectStructure`: 4 new asserts — `serve.sh` contains no `curl` / `maven.org` (defense against re-introduction), `checksums.sha256` exists, format-conforms to `<64-hex> <path>`, excludes itself. * Full suite: 3672 tests / 0 failures / 0 errors / 32 skipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Third of 5 production-readiness PRs. Closes the air-gap drift, missing bundle integrity, and unpinned scanner-version audit findings.
Why
The bundle deployment model assumes an air-gapped target — but pre-PR-3 the launcher scripts fell back to
curl -fL https://repo1.maven.org/...when the CLI JAR wasn't bundled, and bundles shipped without any integrity manifest. The.gitignorehad narrow secret patterns, the.dockerignorehad no secret patterns at all (and does NOT inherit.gitignore), and Semgrep ran unpinned (Scorecard Pinned-Dependencies flag).Changes
codeiq bundleSHA-256 manifest — streamingMessageDigestper entry, no double-read;checksums.sha256in standard GNU coreutils format. Receivers verify withsha256sum -c checksums.sha256. The manifest excludes itself (circular); out-of-band Sigstore / GPG signs the bundle.zip.serve.sh/serve.bat— Maven Central download removed. Fail-fast with a "use --include-jar or stage from internal mirror" message.serve.shrunssha256sum -c --quietautomatically (skip withCODEIQ_SKIP_VERIFY=1).semgrep==1.161.0in.github/workflows/security.yml. Bumps via Dependabot pip ecosystem..gitignore+.dockerignore:.env.*,*.jks,*.p12,*.pfx,*.keystore,id_{rsa,ecdsa,ed25519,dsa},credentials.{json,yaml},secrets.{json,yaml},*.serviceaccount.json. (.dockerignore does NOT inherit .gitignore — explicit defense-in-depth.)shared/runbooks/release.md§4a. Consumer-sidesha256sum -cworkflow + signing patterns.Test plan
BundleCommandTest#bundleCreatesZipWithCorrectStructureextended — asserts nocurl/maven.orginserve.sh,checksums.sha256exists + matches GNU sha256sum format + excludes itself🤖 Generated with Claude Code