Skip to content

Hardening security with compiler switches - /GS and /HIGHENTROPYVA#1843

Merged
shimat merged 11 commits intomainfrom
fix/hardening-security-flags
Mar 17, 2026
Merged

Hardening security with compiler switches - /GS and /HIGHENTROPYVA#1843
shimat merged 11 commits intomainfrom
fix/hardening-security-flags

Conversation

@shimat
Copy link
Owner

@shimat shimat commented Mar 15, 2026
edited by coderabbitai bot
Loading

Fix #1841

Summary by CodeRabbit

  • New Features

    • Added automated security hardening verification for Windows builds using security scanning tools.

  • Chores

    • Updated build configurations to enable security hardening across Windows and Linux builds.
    • Adjusted library paths for consistency in build artifacts.

@shimat shimat self-assigned this Mar 15, 2026
@shimat shimat marked this pull request as ready for review March 17, 2026 12:16
@shimat shimat mentioned this pull request Mar 17, 2026
Closed
@shimat shimat merged commit 7732912 into main Mar 17, 2026
7 of 8 checks passed
@shimat shimat deleted the fix/hardening-security-flags branch March 17, 2026 12:17
@coderabbitai
Copy link

coderabbitai bot commented Mar 17, 2026

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 956665d4-2073-47eb-a76f-b85442bd5f40

📥 Commits

Reviewing files that changed from the base of the PR and between 3ea3668 and bc42e87.

📒 Files selected for processing (4)
  • .github/workflows/manylinux.yml
  • .github/workflows/windows.yml
  • cmake/opencv_build_options.cmake
  • src/CMakeLists.txt
📝 Walkthrough

Walkthrough

The changes introduce security hardening to the build system by enabling MSVC compiler security flags (/GS, /guard:cf, /DYNAMICBASE, /HIGHENTROPYVA), activating OpenCV's ENABLE_BUILD_HARDENING option on Windows, updating manylinux OpenCV artifact paths from lib to lib64, and adding BinSkim security verification to the Windows workflow.

Changes

Cohort / File(s) Summary
Build Security Hardening
cmake/opencv_build_options.cmake, src/CMakeLists.txt		 Enables ENABLE_BUILD_HARDENING for Windows OpenCV builds and adds MSVC-specific compiler options (/guard:cf, /GS) and linker options (/guard:cf, /DYNAMICBASE, /HIGHENTROPYVA).
Windows Workflow Enhancement
.github/workflows/windows.yml		 Adds workflow_dispatch input with run_binskim flag and introduces "Verify security hardening with BinSkim" job step that downloads BinSkim, scans OpenCvSharpExtern.dll, parses SARIF output, filters non-addressable findings (ERR997, BA2007), and fails if actionable errors remain.
Manylinux Build Paths
.github/workflows/manylinux.yml		 Updates OpenCV artifact and cache paths from lib to lib64 in full and slim builds; updates OpenCV_DIR reference for OpenCvSharpExtern to point to lib64/cmake/opencv4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/hardening-security-flags
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shimat shimat

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hardening security with compiler switches - /GS and /HIGHENTROPYVA

1 participant

@shimat