Skip to content

Security hardening: pin Python deps, normalize Go versions, add SECURITY.md and security CI#1

Closed
nevinshine with Copilot wants to merge 3 commits into
mainfrom
copilot/harden-repository-security
Closed

Security hardening: pin Python deps, normalize Go versions, add SECURITY.md and security CI#1
nevinshine with Copilot wants to merge 3 commits into
mainfrom
copilot/harden-repository-security

Conversation

Copilot AI commented Apr 10, 2026

Copy link
Copy Markdown

Addresses supply-chain risk (unpinned Python deps), Go toolchain inconsistency, missing vulnerability disclosure process, and absence of any security gates in CI.

Changes

  • cortex/requirements.txt — Replace all >= specifiers with exact pinned versions for reproducible installs; bump protobuf to 5.29.6 to patch two CVEs (DoS + JSON recursion depth bypass):

    grpcio==1.67.1
    grpcio-tools==1.67.1
    protobuf==5.29.6
    PyYAML==6.0.2
    dnslib==0.9.25
    
  • go.mod normalization — Align all three modules to go 1.23.0 (primary module baseline); telos_core/mirage_poc was on the non-existent 1.25.6, telos_edge/loader was on 1.21.

  • SECURITY.md — Added at repo root with supported versions, private reporting channels (GitHub Security Advisories + email), triage SLA table, coordinated disclosure process, and explicit in/out-of-scope definition.

  • .github/workflows/security.yml — New workflow (push + PR on main) with three jobs:

    • go-security: govulncheck (CVE DB) + gosec (SAST) across all Go modules in a matrix; SARIF uploaded to GitHub Security tab
    • python-audit: pip-audit against cortex/requirements.txt, fails on any finding
    • secret-scan: gitleaks over full git history
Original prompt

Harden repository security and production reproducibility in nevinshine/telos-runtime.

Implement the following changes:

  1. Pin Python dependencies
  • File: cortex/requirements.txt
  • Replace unbounded specifiers (>=) with exact pinned versions for all existing dependencies.
  • Keep current package set unless a package is clearly optional/commented; preserve comments where useful.
  • Ensure resulting file is deterministic and suitable for reproducible builds.
  1. Normalize Go versions across modules
  • Files:
    • telos_core/loader/go.mod
    • telos_core/mirage_poc/go.mod
    • any other go.mod files in repo discovered during work
  • Set all modules to a consistent, production-ready Go version line.
  • Use a realistic currently-supported stable version already used in repo when possible (prefer consistency with primary module).
  • Do not otherwise change module dependencies unless necessary for go mod validity.
  1. Add SECURITY.md
  • Create SECURITY.md at repository root.
  • Include:
    • Supported versions policy
    • How to report vulnerabilities privately
    • Expected response/triage timelines
    • Disclosure/coordinated release process
    • Scope statement (what is in/out of scope)
  • Keep it concise and professional.
  1. Add security CI workflow
  • Create .github/workflows/security.yml with GitHub Actions jobs that run on push and pull_request.
  • Include at minimum:
    • Go security checks for Go modules (gosec and govulncheck, or equivalent practical checks)
    • Python dependency vulnerability audit for cortex/requirements.txt (pip-audit or equivalent)
    • Secret scanning step suitable for CI (e.g., gitleaks action)
  • Ensure workflow uses maintained actions and reasonable caching/performance.
  • Make jobs fail on security findings by default.
  • Keep workflow readable and documented with comments.
  1. Keep changes minimal and focused
  • Do not refactor unrelated code.
  • Ensure files are syntactically valid.
  • Include clear PR title/description summarizing hardening changes.

Acceptance criteria:

  • Python requirements are pinned exactly.
  • All go.mod files in repo have consistent Go version line.
  • SECURITY.md exists with disclosure policy and SLA.
  • .github/workflows/security.yml exists and runs the required checks.
  • PR is created against base branch main in nevinshine/telos-runtime.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: to be the greatest system security rsearcher and architect...what flaws in my repo shpuld be fixed to make it so perfect ever to be a best production ready one

Assistant: Great goal. To tell you exactly what flaws to fix, I need the specific GitHub repository first.

Please share:

  1. Repo in owner/repo format (e.g., nevinshine/my-service)
  2. Optional: target branch (e.g., main)
  3. Optional: stack/context (Node, Python, K8s, cloud provider, etc.)

Once you provide that, I can run a focused security + production-readiness audit and give you a prioritized fix list (critical → low), including architecture, code, CI/CD, secrets handling, authn/authz, supply chain, and observability gaps.

User: thee

Assistant: Perfect — you’ve got a serious systems-security portfolio.

Recommendation: start with nevinshine/telos-runtime as your production-hardening anchor, then apply the same baseline to the kernel-level repos (hyperion-xdp, sentinel-runtime, sentinel-cc, sentinel-vmi) and finally telos-lang.

If you want, I can now run an actual repo-by-repo audit using tools and give exact file-level flaws.
For now, here’s the highest-impact flaw checklist to fix first:

Top flaws that usually block “best production-ready” status

  1. No threat model / trust-boundary spec in-repo

    • Fix: add docs/threat-model.md with assets, attackers, assumptions, and out-of-scope.
  2. Unsafe C defaults

    • Fix: enforce hardening flags everywhere:
      -fstack-protector-strong -D_FORTIFY_SOURCE=3 -fPIE -pie -Wl,-z,relro,-z,now -Wformat -Werror=format-security
    • Add UB/ASAN/MSAN fuzz/test jobs.
  3. eBPF verifier/CO-RE compatibility not pinned

    • Fix: matrix test kernel versions + strict verifier logs in CI; freeze BTF/CO-RE assumptions.
  4. Privilege model too broad

    • Fix: least privilege for all daemons; drop capabilities; seccomp/AppArmor/SELinux profiles; no root-by-default runtime paths.
  5. No signed builds / provenance

    • Fix: SLSA provenance + artifact signing (e.g., Sigstore cosign), reproducible build target, SBOM (SPDX/CycloneDX).
  6. Dependency/supply-chain drift

    • Fix: lockfiles, pinned toolchains, dependabot/renovate, CVE gate in CI (fail on critical).
  7. Insufficient memory-safety testing depth

    • Fix: fuzz parsers/protocol handlers/syscall decoders with coverage targets and crash triage SLA.
  8. Weak secrets handling

    • Fix: remove all static secrets; OIDC short-lived creds in CI; secret scanning + push protection + commit history scrub.
  9. **Missing incid...

This pull request was created from Copilot chat.

Copilot AI and others added 2 commits April 10, 2026 12:54
…ITY.md and security CI workflow

Agent-Logs-Url: https://github.com/nevinshine/telos-runtime/sessions/a86f589c-17d5-460e-8ab5-fbc19207cfc7

Co-authored-by: nevinshine <182664674+nevinshine@users.noreply.github.com>
Copilot AI changed the title [WIP] Harden repository security and production reproducibility Security hardening: pin Python deps, normalize Go versions, add SECURITY.md and security CI Apr 10, 2026
Copilot AI requested a review from nevinshine April 10, 2026 12:58
@nevinshine nevinshine closed this Apr 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants