fix(security): harden image context and runtime receipts
Some checks failed
CD Pipeline / deploy (push) Has been cancelled

This commit is contained in:
ogt
2026-07-10 19:13:22 +08:00
parent c839ac3eff
commit b2be34a923
12 changed files with 246 additions and 16 deletions

View File

@@ -35,6 +35,9 @@ def test_security_governance_review_is_honest_and_release_gate_passes():
assert access["unguarded_count"] == 8
dependencies = checks["ID.RA-dependency-vulnerability-management"]["evidence"]
assert dependencies["sbom_files"] == []
supply = checks["GV.SC-gitea-only-supply-chain"]
assert supply["status"] == "pass"
assert supply["evidence"]["docker_build_context"]["safe"] is True
quality = checks["GV.QA-test-governance"]
assert quality["status"] == "partial"
assert quality["evidence"]["collection_error_count"] == 1
@@ -72,6 +75,58 @@ def test_security_governance_cli_strict_mode_passes_source_gate():
assert payload["status"] == "partial"
def test_security_governance_cli_can_emit_commit_bound_source_receipt():
source_commit = "a" * 40
completed = subprocess.run(
[
sys.executable,
str(ROOT / "scripts" / "ops" / "report_security_governance_review.py"),
"--root",
str(ROOT),
"--strict",
"--source-commit",
source_commit,
],
cwd=ROOT,
capture_output=True,
text=True,
timeout=30,
check=False,
)
assert completed.returncode == 0, completed.stderr or completed.stdout
payload = json.loads(completed.stdout)
assert payload["receipt_kind"] == "security_governance_source_receipt"
assert payload["source_commit"] == source_commit
assert payload["release_gate"]["status"] == "pass"
def test_runtime_subset_uses_commit_bound_source_receipt(tmp_path):
from services.security_governance_review_service import (
build_security_governance_review,
)
source_report = build_security_governance_review(root=ROOT)
source_report["receipt_kind"] = "security_governance_source_receipt"
source_report["source_commit"] = "b" * 40
governance = tmp_path / "governance"
governance.mkdir()
(governance / "security_governance_source_receipt.json").write_text(
json.dumps(source_report, ensure_ascii=False),
encoding="utf-8",
)
runtime_report = build_security_governance_review(root=tmp_path)
checks = {item["id"]: item for item in runtime_report["checks"]}
supply = checks["GV.SC-gitea-only-supply-chain"]
policy = checks["GV.PO-policy-alignment"]
assert supply["status"] == "pass"
assert supply["evidence"]["evidence_source"] == "cd_source_receipt"
assert policy["status"] == "pass"
assert policy["evidence"]["evidence_source"] == "cd_source_receipt"
def test_sensitive_blueprint_policy_denies_anonymous_api(monkeypatch):
import auth
from services.http_access_policy_service import enforce_http_access_policy