Skip to content

chore: SafeguardJava repo hygiene#163

Merged
petrsnd merged 2 commits into
OneIdentity:mainfrom
petrsnd:security/hygiene-20260522-java
May 27, 2026
Merged

chore: SafeguardJava repo hygiene#163
petrsnd merged 2 commits into
OneIdentity:mainfrom
petrsnd:security/hygiene-20260522-java

Conversation

@petrsnd
Copy link
Copy Markdown
Member

@petrsnd petrsnd commented May 26, 2026

Summary

Repository hygiene follow-up for SafeguardJava security review.

Commits

  • b5cdac9 — adds Dependabot configuration for automated dependency update visibility.
  • 59db67e — adds CodeQL workflow for continuous static analysis coverage.

Notes

No product code changes are included in this hygiene branch.

petrsnd added 2 commits May 23, 2026 20:51
@petrsnd
chore: add dependabot config (FP-SafeguardJava-006 W9)
b5cdac9 
Enable weekly Dependabot updates for the maven and github-actions ecosystems. Major-version bumps are excluded; patch and minor updates are grouped per ecosystem. Closes the W9 file-driven half of the hygiene gap (PVD remains a repo-settings toggle).
@petrsnd
chore: add CodeQL workflow (FP-SafeguardJava-006 W9)
59db67e 
Enable CodeQL security-and-quality analysis for Java (java-kotlin, build-mode: none) and GitHub Actions on push/PR to main plus a weekly schedule. JDK 8 (temurin) matches the pom.xml source/target 1.8 baseline.
@petrsnd petrsnd requested a review from a team as a code owner May 26, 2026 21:46
@petrsnd
Copy link
Copy Markdown
Member Author

petrsnd commented May 26, 2026

Partial live verification against 192.168.117.15 admin smoke 2026-05-26. Manual Java SDK read-only probe passed; oversized response cap was not safely triggerable live. Full log: .security-review-impl-logs/live-sweep/java-live.log

@petrsnd
Copy link
Copy Markdown
Member Author

petrsnd commented May 27, 2026

Full live appliance sweep re-run (mutation allowed) completed against 192.168.117.15.

Results:

  • SafeguardDotNet (security/review-20260522-dotnet): 15 suites, 71 passed / 0 failed / 2 skipped. SpsIntegration excluded because no SPS appliance was in the lease. Cleanup audit: no SgDnTest objects remained.
  • PySafeguard (security/review-20260522-py): after installing the optional SignalR extra required by event tests, full pytest passed: 453 passed / 0 failed / 0 skipped. Cleanup audit found one leaked PySg_ event-test user; it was deleted and re-audit showed 0 remaining.
  • safeguard.js (security/review-20260522-js): integration suite passed: 11 files, 55 passed / 0 failed / 0 skipped. Cleanup audit: no SgJs_ objects remained.
  • safeguard-bash (security/review-20260522-bash): full suite executed with SAFEGUARD_ALLOW_LOCALHOST=1 after the stock runner PKCE preflight failed against the private appliance address. Result: 14 suites, 323 passed / 10 failed / 0 skipped. Failures are confined to A2A and A2A Access Request Broker retrieval/broker negative-path checks. Cleanup audit: no SgBashTest objects remained.
  • SafeguardJava (security/review-20260522-java): PowerShell integration runner passed: 9 suites, 59 passed / 0 failed / 0 skipped; SpsIntegration excluded because no SPS appliance was in the lease. FP-004 cap regression unit test also passed: 6 passed / 0 failed / 0 skipped. Cleanup audit: no SgJTest objects remained.

Lease released in SECURITY-REVIEW.md. Follow-up needed: investigate safeguard-bash A2A failures and the PySafeguard event-test cleanup leak.

@petrsnd petrsnd merged commit e59402b into OneIdentity:main May 27, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@petrsnd