name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '7 11 * * 6'
release:
types: [published]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
fast-security:
name: Fast Security Checks
runs-on: cachekit
if: github.event_name == 'push' || github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 with:
toolchain: "stable"
components: clippy
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-security-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-security-
${{ runner.os }}-cargo-
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Install cargo-deny
run: cargo install cargo-deny --locked
- name: Run cargo audit (CVE scanning)
run: cargo audit
- name: Run cargo deny (license compliance + advisories)
run: cargo deny check
- name: Run clippy (strict linting)
run: cargo clippy --all-features --all-targets -- -D warnings
- name: Run tests
run: cargo test --all-features
quick-fuzz:
name: Quick Fuzz (Corpus Only)
runs-on: cachekit
if: github.event_name == 'push' || github.event_name == 'pull_request'
strategy:
fail-fast: false
matrix:
target:
- byte_storage_checksum_collision
- byte_storage_compress
- byte_storage_corrupted_envelope
- byte_storage_decompress
- byte_storage_empty_data
- byte_storage_format_injection
- byte_storage_integer_overflow
- compression_bomb
- encryption_aad_injection
- encryption_key_derivation
- encryption_large_payload
- encryption_nonce_reuse
- encryption_roundtrip
- encryption_truncated_ciphertext
- integration_layered_security
- key_derivation
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
fuzz/target/
key: ${{ runner.os }}-cargo-fuzz-nightly-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-fuzz-nightly-
${{ runner.os }}-cargo-
- name: Install cargo-fuzz
run: cargo install cargo-fuzz
- name: Run quick fuzz (corpus only)
run: |
cd fuzz
# Build first - fail fast on compile errors
cargo fuzz build ${{ matrix.target }}
# libFuzzer self-exits at -max_total_time (graceful "Done ..."); the outer
# `timeout` is a +30s hang safety-net only. Buffer matters because libFuzzer's
# clock starts after build/corpus-load, so an equal `timeout` would always
# SIGTERM first ("run interrupted") and the graceful path would be unreachable.
# Exit 124 (timeout fired = genuine hang) is still tolerated.
timeout 150 cargo fuzz run ${{ matrix.target }} -- -runs=0 -max_total_time=120 || [ $? -eq 124 ]
deep-fuzz:
name: Deep Fuzzing (8 hours)
runs-on: cachekit
if: github.event_name == 'schedule'
timeout-minutes: 540
strategy:
fail-fast: false
matrix:
target:
- byte_storage_checksum_collision
- byte_storage_compress
- byte_storage_corrupted_envelope
- byte_storage_decompress
- byte_storage_empty_data
- byte_storage_format_injection
- byte_storage_integer_overflow
- compression_bomb
- encryption_aad_injection
- encryption_key_derivation
- encryption_large_payload
- encryption_nonce_reuse
- encryption_roundtrip
- encryption_truncated_ciphertext
- integration_layered_security
- key_derivation
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
fuzz/target/
key: ${{ runner.os }}-cargo-fuzz-nightly-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-fuzz-nightly-
${{ runner.os }}-cargo-
- name: Install cargo-fuzz
run: cargo install cargo-fuzz
- name: Run deep fuzz (8 hours per target)
run: |
cd fuzz
# Build first - fail fast on compile errors
cargo fuzz build ${{ matrix.target }}
# libFuzzer self-exits at -max_total_time=8h with a graceful "Done N runs ..."
# (final stats + corpus consolidation). The outer `timeout` is +3min slack so
# it only fires on a genuine hang — NOT as the normal end-of-budget stop. An
# equal `timeout` would always win the race (libFuzzer's clock starts later,
# after build/corpus-load) and every run would log "run interrupted" instead,
# making a real hang indistinguishable from normal completion. Still inside the
# 540min job cap. Exit 124 (hang killed by timeout) remains tolerated.
timeout 28980 cargo fuzz run ${{ matrix.target }} -- -max_total_time=28800 || [ $? -eq 124 ]
- name: Upload crash artifacts
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a with:
name: fuzz-crashes-${{ matrix.target }}
path: fuzz/artifacts/${{ matrix.target }}/
if-no-files-found: ignore
kani:
name: Kani Formal Verification
runs-on: cachekit
if: github.event_name == 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 with:
toolchain: "1.85"
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-kani-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-kani-
${{ runner.os }}-cargo-
- name: Install Kani
run: |
cargo install --locked kani-verifier || echo "Kani install failed, skipping verification"
cargo kani setup || echo "Kani setup failed, skipping verification"
- name: Run Kani verification
run: cargo kani --all-features || echo "Kani verification failed or not supported"
continue-on-error: true
cargo-vet:
name: Cargo Vet (Supply Chain)
runs-on: cachekit
if: github.event_name == 'schedule' || github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 with:
toolchain: "1.85"
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-vet-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-vet-
${{ runner.os }}-cargo-
- name: Install cargo-vet
run: cargo install cargo-vet --locked
- name: Run cargo vet
run: cargo vet
sbom:
name: Generate SBOM
runs-on: cachekit
if: github.event_name == 'release'
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 with:
toolchain: "1.85"
- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-sbom-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-sbom-
${{ runner.os }}-cargo-
- name: Install cargo-sbom
run: cargo install cargo-sbom --locked
- name: Generate SBOM
run: cargo sbom > cachekit-core-sbom.json
- name: Upload SBOM as release asset
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ./cachekit-core-sbom.json
asset_name: cachekit-core-sbom.json
asset_content_type: application/json