fix(security): harden image context and runtime receipts
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
This commit is contained in:
@@ -35,6 +35,9 @@ def test_security_governance_review_is_honest_and_release_gate_passes():
|
||||
assert access["unguarded_count"] == 8
|
||||
dependencies = checks["ID.RA-dependency-vulnerability-management"]["evidence"]
|
||||
assert dependencies["sbom_files"] == []
|
||||
supply = checks["GV.SC-gitea-only-supply-chain"]
|
||||
assert supply["status"] == "pass"
|
||||
assert supply["evidence"]["docker_build_context"]["safe"] is True
|
||||
quality = checks["GV.QA-test-governance"]
|
||||
assert quality["status"] == "partial"
|
||||
assert quality["evidence"]["collection_error_count"] == 1
|
||||
@@ -72,6 +75,58 @@ def test_security_governance_cli_strict_mode_passes_source_gate():
|
||||
assert payload["status"] == "partial"
|
||||
|
||||
|
||||
def test_security_governance_cli_can_emit_commit_bound_source_receipt():
|
||||
source_commit = "a" * 40
|
||||
completed = subprocess.run(
|
||||
[
|
||||
sys.executable,
|
||||
str(ROOT / "scripts" / "ops" / "report_security_governance_review.py"),
|
||||
"--root",
|
||||
str(ROOT),
|
||||
"--strict",
|
||||
"--source-commit",
|
||||
source_commit,
|
||||
],
|
||||
cwd=ROOT,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
timeout=30,
|
||||
check=False,
|
||||
)
|
||||
|
||||
assert completed.returncode == 0, completed.stderr or completed.stdout
|
||||
payload = json.loads(completed.stdout)
|
||||
assert payload["receipt_kind"] == "security_governance_source_receipt"
|
||||
assert payload["source_commit"] == source_commit
|
||||
assert payload["release_gate"]["status"] == "pass"
|
||||
|
||||
|
||||
def test_runtime_subset_uses_commit_bound_source_receipt(tmp_path):
|
||||
from services.security_governance_review_service import (
|
||||
build_security_governance_review,
|
||||
)
|
||||
|
||||
source_report = build_security_governance_review(root=ROOT)
|
||||
source_report["receipt_kind"] = "security_governance_source_receipt"
|
||||
source_report["source_commit"] = "b" * 40
|
||||
governance = tmp_path / "governance"
|
||||
governance.mkdir()
|
||||
(governance / "security_governance_source_receipt.json").write_text(
|
||||
json.dumps(source_report, ensure_ascii=False),
|
||||
encoding="utf-8",
|
||||
)
|
||||
|
||||
runtime_report = build_security_governance_review(root=tmp_path)
|
||||
checks = {item["id"]: item for item in runtime_report["checks"]}
|
||||
|
||||
supply = checks["GV.SC-gitea-only-supply-chain"]
|
||||
policy = checks["GV.PO-policy-alignment"]
|
||||
assert supply["status"] == "pass"
|
||||
assert supply["evidence"]["evidence_source"] == "cd_source_receipt"
|
||||
assert policy["status"] == "pass"
|
||||
assert policy["evidence"]["evidence_source"] == "cd_source_receipt"
|
||||
|
||||
|
||||
def test_sensitive_blueprint_policy_denies_anonymous_api(monkeypatch):
|
||||
import auth
|
||||
from services.http_access_policy_service import enforce_http_access_policy
|
||||
|
||||
Reference in New Issue
Block a user