Implement Basic Supply Chain Security (surrealdb#3395)

groobyming · Jan 26, 2024 · 74d91d4 · 74d91d4
1 parent eeb9137
commit 74d91d4
Show file tree

Hide file tree

Showing 8 changed files with 5,113 additions and 2 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -19,6 +19,8 @@ Makefile.* @surrealdb/ci
 Cargo.lock @surrealdb/security
 Cargo.toml @surrealdb/security
 lib/Cargo.toml @surrealdb/security
+cackle.toml @surrealdb/security
+supply-chain/* @surrealdb/security
 
 # General owners for the database
 /doc/ @surrealdb/db

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -96,9 +96,29 @@ jobs:
       - name: Install cargo-deny
         run: cargo install --debug --locked cargo-deny
 
-      - name: Check dependencies
+      - name: Install cargo-vet
+        run: cargo install --debug --locked cargo-vet
+
+      - name: Install cargo-acl
+        run: |
+          cargo install --debug --locked cargo-acl
+          sudo apt-get install -y bubblewrap
+
+      - name: Check dependencies for known issues
         run: cargo deny check
 
+      - name: Check dependencies for untrusted sources
+        run: cargo vet
+
+      - name: Check dependencies for unauthorized access
+        run: cargo acl -n
+
+      - name: Dependency check failure
+        if: failure()
+        run: |
+          echo "## :warning: Dependency check failed" >> $GITHUB_STEP_SUMMARY
+          echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
+
   check-wasm:
     name: Check Wasm
     runs-on: ubuntu-latest

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,4 +1,4 @@
-# <img height="25" src="/img/security.svg">&nbsp;&nbsp;Security Policy
+# <img height="25" src="/img/security.svg">&nbsp;&nbsp;Open Source Security Policy
 
 ## Supported Versions
 
@@ -86,6 +86,12 @@ SurrealDB makes use of Github's [Dependabot
 alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
 monitor its dependencies for security issues.
 
+SurrealDB also [implements basic supply chain security practices](https://github.com/surrealdb/surrealdb/pull/3395)
+using [`cargo-vet`](https://mozilla.github.io/cargo-vet/index.html) and [`cargo-acl` (i.e.
+Cackle)](https://github.com/cackle-rs/cackle) to mitigate the impact of attackers introducing malicious code into
+third-party dependencies. These tools are executed as part of the CI process to ensure that significant changes in
+dependencies are considered. More details about these practices can be found [here](supply-chain/README.md).
+
 ### Fuzzing
 
 SurrealDB is [integrated](https://github.com/google/oss-fuzz/tree/master/projects/surrealdb) with Google's