Skip to content

v0.8.3 — Cycle 1 follow-up: CI regression gates + weekly fuzz cron + Node 24

Choose a tag to compare

View all tags
@Jo-Jo98 Jo-Jo98 released this 27 Apr 20:50
· 92 commits to main since this release
v0.8.3
1ae5338

Cycle 1 follow-up release. No changes to src/ciguard/; this release wires the four Cycle 1 PoC scripts in as permanent CI regression gates, adds the weekly atheris fuzz schedule both recommended in the Cycle 1 final report, and bumps GitHub Actions to Node 24 ahead of June 2026 deprecation.

Highlights

CI regression coverage (Cycle 1 Recommendation #2)

The four Cycle 1 PoC scripts (closed in v0.8.2: GHSA-8cxw-cc62-q28v, GHSA-jrm4-4pcf-4763, GHSA-xw8c-rrvx-f7xq, GHSA-7ww3-xvf5-cxwm) now live as regression scripts at tests/regression/cycle1/. A new regression-cycle1 job in the reusable _checks.yml workflow runs all four on every push, every PR, and every release tag. The container PoC builds the image locally first so the gate fires before publish, not after.

Each script's exit code encodes outcome (0 = EXPLOIT_CONFIRMED, 1 = EXPLOIT_FAILED); the CI step inverts so a regression fails the build.

Weekly atheris fuzz cron (Cycle 1 Recommendation #3)

New .github/workflows/atheris-fuzz.yml runs 1M-iteration coverage-guided fuzz across all three parsers (GitLabCIParser, GitHubActionsParser, hand-rolled JenkinsfileParser) every Sunday 06:00 UTC. Per-input timeout 10 s, total budget 30 min. Crash → uploads input as a 30-day artifact + opens an issue tagged security + fuzz-finding. Cycle 1 ran 220k iterations clean; weekly 1M is cheap insurance against parser regressions across new rule additions.

Node 24 readiness

Bumped actions/checkout v4 → v6.0.2 and actions/setup-python v5 → v6.2.0 in the bandit + pip-audit jobs. Bumped actions/upload-artifact v4.6.0 → v7.0.1 and actions/github-script v7.0.1 → v9.0.0 in the new atheris workflow. Bumped docker/setup-qemu-action v3 → v4.0.0. All other action pins were already on Node 24-capable versions. Default Node-24 switch on GitHub-hosted runners arrives 2026-06-02; full Node 20 removal Fall 2026.

Full changelog

See CHANGELOG.md.

Cycle 1 final report

The full CREST-style report (~28 pages) covering methodology, all four findings, Phase 7 retest evidence, and the disclosure decision is attached to this release as a PDF asset.

Install

```bash
pip install ciguard==0.8.3

or with MCP server

pip install 'ciguard[mcp]==0.8.3'

Multi-arch container

docker pull ghcr.io/jo-jo98/ciguard:v0.8.3
```

447 tests passing. Lint clean. All Cycle 1 PoCs flip to EXPLOIT_FAILED.

Assets 3
Loading