security: bump toolchain/x-net for CVEs and tighten CI gates#483
Conversation
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: feaed83814
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Go toolchain/dependencies to address reported CVEs and strengthens the CI security workflow by making security scanners more tamper-resistant and stricter.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Changes:
- Add
toolchain go1.26.3and bumpgolang.org/x/net(and related indirect sums) to newer patched versions. - Harden gitleaks installation in CI by verifying the downloaded release tarball against a pinned SHA-256.
- Tighten the standalone gosec CI job by removing
-no-failand excluding the existing accepted baseline rule set.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
go.mod |
Pins the Go toolchain and bumps indirect x/net / x/term versions. |
go.sum |
Updates module checksums to match the bumped indirect dependencies. |
.github/workflows/security.yml |
Hardens gitleaks install via checksum verification and turns gosec into a failing gate. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
e4a7a62 to
a3ff017
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
feaed83 to
3d62a58
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
a3ff017 to
c1d95a4
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
3d62a58 to
54c2ef1
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 54c2ef1b25
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect | ||
| github.com/yuin/goldmark-emoji v1.0.6 // indirect | ||
| golang.org/x/net v0.48.0 // indirect | ||
| golang.org/x/net v0.55.0 // indirect |
There was a problem hiding this comment.
Because this dependency bump changes the module graph, the fixed-output vendorHash in nix/package.nix also needs to be regenerated; it is still the pre-bump hash. In the contexts that build the flake (nix build, including the release workflow's nix-verify step), buildGoModule will reject the vendored dependency hash until scripts/update-nix-flake.sh/make update-nix-hash updates that value.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Flagged for human review — the vendorHash in nix/package.nix is indeed stale after the x/net + x/term bump and needs updating, but recomputing it requires a nix toolchain, which is not available in this environment. A maintainer with nix should run scripts/update-nix-flake.sh (or set vendorHash = lib.fakeHash and nix build, then paste the corrected hash). Leaving this thread open until then.
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
c1d95a4 to
fc26287
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
54c2ef1 to
6f3eab7
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
fc26287 to
7ae26db
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
6f3eab7 to
41c42c5
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
7ae26db to
36ba2ba
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
bc24216 to
ad2b30a
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
4a9bbb1 to
31f48c0
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
ad2b30a to
fc5ac07
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
31f48c0 to
7f01606
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
fc5ac07 to
66b34b2
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
7f01606 to
2bc0b51
Compare
github-actions
Bot
added
bug
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
66b34b2 to
0fcf67d
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
2bc0b51 to
0cb36ba
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0cb36ba9a6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| go 1.26 | ||
|
|
||
| toolchain go1.26.3 |
There was a problem hiding this comment.
For Nix builds, this toolchain directive does not update the compiler selected by nix/package.nix: that derivation explicitly overrides buildGoModule with go_1_26, and the locked nixpkgs rev in flake.lock currently defines that package as Go 1.26.0. After the already-noted vendorHash issue is fixed, nix build/release nix-verify will still produce a binary with the pre-1.26.3 standard library, so the toolchain CVE fix in this PR does not apply to the Nix package unless the flake/toolchain override is updated too.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Flagged for human review — correct catch: the go_1_26 override pins a nixpkgs rev predating Go 1.26.3, so the toolchain CVE fix doesn't reach nix build/nix-verify. Fixing it requires nix flake update nixpkgs (to a rev shipping Go 1.26.3) plus a nix build verification — which needs a nix toolchain that isn't available in this environment. Leaving this for a maintainer with nix, together with the stale vendorHash refresh.
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
0fcf67d to
02eb78d
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
0cb36ba to
111f276
Compare
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
02eb78d to
11ec5f7
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
111f276 to
2b34a75
Compare
- Set 'toolchain go1.26.3' and bump golang.org/x/net to v0.55.0, clearing all govulncheck-reachable advisories (x509 name-constraint bypass, TLS KeyUpdate DoS, HTTP/2 loop, et al.). - Pin the gitleaks release download with a SHA-256 checksum before install. The standalone gosec scan stays advisory (-no-fail, full SARIF upload). Its enforcing counterpart is golangci-lint (make lint), which honors the repo's per-site //nolint:gosec suppressions; the standalone binary can't read those, and globally excluding rule IDs (e.g. G101/G204) to make it hard-fail would blind release scans to new hard-coded creds / unsafe exec.
jeremy
force-pushed
the
security/05-perms-and-exec-args
branch
from
11ec5f7 to
4598b69
Compare
jeremy
force-pushed
the
security/06-supply-chain-ci
branch
from
2b34a75 to
5522054
Compare
github-actions
Bot
added
enhancement
Bump toolchain/x-net for CVEs and tighten CI security gates
(Threat: T5 supply chain / toolchain CVEs.)
toolchain go1.26.3andgolang.org/x/net v0.55.0.govulncheck ./...goes from 6 reachable advisories (x509 name-constraint bypass GO-2026-4866, TLS KeyUpdate DoS GO-2026-4870, x/net + net/http HTTP/2 loop GO-2026-4918, et al.) to "No vulnerabilities found."-no-fail, with full SARIF upload to the security tab) — it surfaces findings without failing the build. Enforcement of the gosec rule set is viagolangci-lint(make lint), which honors the repo's//nolint:gosecsuppressions (standalone gosec v2.25.0 does not —Nosec: 0) and deliberately treatsG304as a CLI false-positive; golangci-lint is the gate that hard-fails on any new gosec-class finding (weak crypto, SQLi, etc.).sdk-provenance.jsonunchanged (the SDK itself didn't change).Part 6/6 of the stacked security series. Base:
security/05-perms-and-exec-args. Suggest landing last, since the gosec gate is the most likely to surface a follow-up.📚 Stack (merge bottom-up)
apito prevent token leak #478 — reject foreign-host URLs inapi(basemain)Each is independent except #482 depends on #481 (shared
root.go). #478 can land first/alone.Summary by cubic
Updates the Go toolchain and
golang.org/x/netto clear reachable CVEs;govulnchecknow reports none. CI pins thegitleaksv8.21.2 tarball by SHA-256 before install and keeps the standalonegosecscan advisory-only with SARIF upload (enforced viagolangci-lint).toolchain go1.26.3golang.org/x/nettov0.55.0golang.org/x/termtov0.43.0Written for commit 5522054. Summary will update on new commits.