Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add checksec to CI #2875

Open
psilva-veeam opened this issue May 8, 2024 · 4 comments
Open

Add checksec to CI #2875

psilva-veeam opened this issue May 8, 2024 · 4 comments
Assignees

Comments

@psilva-veeam
Copy link
Contributor

psilva-veeam commented May 8, 2024

Is your feature request related to a problem? Please describe.

As part of the OpenSSF badge to cover dynamic code checking, testing binaries is an accepted building block to solve this. checksec checks for properties of executables (like PIE, RELRO, Canaries, ASLR, Fortify Source) and can provide JSON output for automated processing.

https://slimm609.github.io/checksec.sh/

Describe the solution you'd like

Running checksec as part of the pipeline during Pull Requests and assert that fortifications are present.

./checksec --extended --file=controller

(--format=json provides json output)

Describe alternatives you've considered

Running as a job that is allowed to fail is another option. This seems unlikely to happen once it is working but not impossible e.g. when a new feature is added. One solution may be version pinning though.

Environment

  • Production builds

Additional context

  • generally the whole problem space gets simpler for fully static binaries, however cgo is by default enabled for DNS resolution to make use of nsswitch.conf https://pkg.go.dev/net#pkg-overview (and openssl when using the Microsoft fork)
Copy link
Contributor

github-actions bot commented May 8, 2024

Thanks for opening this issue 👍. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

@julio-lopez
Copy link
Contributor

julio-lopez commented May 30, 2024

@hairyhum
Copy link
Contributor

@psilva-veeam we can run this command, but can you please give more info on what should we do with its output? Is it just pass or fail or should we parse and respond to the output values?

@psilva-veeam
Copy link
Contributor Author

Hi, yeah sure. Generally having full RELRO protection, PIE, NX and Stack Canaries would be great. The tool itself always returns with exit code 0 and at least one metric are open ended. One option might be to include the results with exit code 0 and in a later step adding constraints once all fortifications are present as useful

@github-project-automation github-project-automation bot moved this to To Be Triaged in Kanister Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: To Be Triaged
Development

No branches or pull requests

4 participants