From 76d6f626cf2da68f5b28a095472ec9d02f17e098 Mon Sep 17 00:00:00 2001 From: Pyronewbic Date: Wed, 20 May 2026 23:06:36 +0530 Subject: [PATCH 1/2] sec: enforce Binary Auth REQUIRE_ATTESTATION policy --- terraform/binary-auth.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/binary-auth.tf b/terraform/binary-auth.tf index 3d90bed..7d74f00 100644 --- a/terraform/binary-auth.tf +++ b/terraform/binary-auth.tf @@ -79,8 +79,12 @@ resource "google_binary_authorization_policy" "default" { global_policy_evaluation_mode = "ENABLE" default_admission_rule { - evaluation_mode = "ALWAYS_ALLOW" + evaluation_mode = "REQUIRE_ATTESTATION" enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" + + require_attestations_by = [ + google_binary_authorization_attestor.deploy.name, + ] } depends_on = [google_project_service.binaryauthorization] From 7c0b79f81822bc2660e4c5cbaad40b4a0e81fd0d Mon Sep 17 00:00:00 2001 From: Pyronewbic Date: Thu, 21 May 2026 00:03:30 +0530 Subject: [PATCH 2/2] docs: update Binary Auth to REQUIRE_ATTESTATION in CLAUDE.md and internals --- CLAUDE.md | 2 +- docs/internals.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index b4b167b..19245f9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -115,7 +115,7 @@ Strict palette — no deviations: - **Deploy:** Kaniko v1.23.2 --reproducible → cosign sign → Binary Auth attestation (KMS) → SBOM attest (Syft SPDX from container) → build provenance (actions/attest-build-provenance) → deploy by digest → both regions → health check → OWASP ZAP DAST - **Custom Wolfi base image:** us-docker.pkg.dev/casecomp-495718/casecomp-node24/node24. Built with apko. 9 smoke tests. 0 CVEs. - **Supply chain:** SBOM + SLSA attestations on image digest, SHA-pinned GitHub Actions, Dependabot, lockfile-lint, Socket.dev, pre-commit hook (blocks .env, secrets, large files) -- **Binary Authorization:** ENFORCED on both Cloud Run services, KMS-backed attestor, deploy pipeline creates attestations +- **Binary Authorization:** REQUIRE_ATTESTATION enforced on both Cloud Run services, KMS-backed attestor (EC P256, deploy-attestor), deploy pipeline creates attestations via `gcloud beta container binauthz attestations sign-and-create` - **Secret workflow:** Add to secrets.tf → CI creates → `gcloud secrets versions add` for value. Never `gcloud secrets create`. - Secrets: EBAY_CLIENT_ID/SECRET, ANTHROPIC_API_KEY, TOGETHER_API_KEY, PSA_AUTH_TOKEN, CASECOMP_API_KEY, CASECOMP_SANDBOX_KEY, RESEND_API_KEY, CASECOMP_JWT_SECRET, GOOGLE_OAUTH_CLIENT_ID, CASECOMP_ADMIN_SUB diff --git a/docs/internals.md b/docs/internals.md index 07d01f2..011c404 100644 --- a/docs/internals.md +++ b/docs/internals.md @@ -188,7 +188,7 @@ Three workflows: `ci.yml` (all checks), `deploy.yml` (build + sign + deploy), `t | apko + Wolfi | Base image | Custom Node 24 image, manual `workflow_dispatch` | | Dependabot | Weekly | npm + GitHub Actions version updates | | RASP | Runtime | SQLi/XSS/cmdi/traversal/NoSQLi/proto-pollution detection, anomaly scoring | -| Binary Auth | Cloud Run | ENFORCED policy (blocks unsigned images) | +| Binary Auth | Cloud Run | REQUIRE_ATTESTATION policy (blocks unattested images) | ## Scheduled tasks