Security Gates and Supply Chain

The Palyra security architecture employs a multi-layered “Security Gates” workflow designed to protect the supply chain, detect secret leakage, and enforce static analysis standards across the Rust and TypeScript/Node.js codebases. These gates are integrated into the CI/CD pipeline to ensure that no high-risk patterns or vulnerable dependencies reach production release artifacts.

Security Workflow Overview

The primary security enforcement occurs in the security-gates job within the GitHub Actions environment. This workflow centralizes dependency auditing, secret scanning, and Software Bill of Materials (SBOM) generation.

Supply Chain Data Flow

The following diagram illustrates how security artifacts are generated and validated during the CI process. Security Artifact Pipeline Sources: .github/workflows/security.yml#11-156, scripts/validate-npm-audit-dev-allowlist.mjs#198-250

Dependency Auditing

Palyra distinguishes between runtime dependencies and development-only dependencies to minimize the attack surface of the distributed binaries.

Rust Audit and Governance

The project uses three primary tools for Rust supply chain security:

cargo-audit: Scans Cargo.lock against the Advisory Database for crates with known vulnerabilities .github/workflows/security.yml#95-96.
cargo-deny: Enforces strict policies on crate licenses, duplicate dependencies, and banned sources .github/workflows/security.yml#98-99.
osv-scanner: Uses Google’s Open Source Vulnerabilities database to provide an additional layer of vulnerability detection .github/workflows/security.yml#101-104.

A specialized check, check-desktop-glib-patch.sh, ensures that any patches applied to system dependencies (like glib for the desktop app) adhere to the project’s patch governance rules .github/workflows/security.yml#70-71, apps/desktop/src-tauri/third_party/glib-0.18.5-patched/PALYRA_PATCH_GOVERNANCE.env#1-5.

NPM Audit and Dev-Allowlist

For the web dashboard and desktop UI, the system runs npm audit with a custom validation layer.

Runtime Audit: Executes npm audit --omit=dev to ensure zero high-severity vulnerabilities in the production bundle .github/workflows/security.yml#30-31.
Dev-Only Allowlist: High-severity vulnerabilities in development tools (e.g., linters, test runners) are managed via npm-audit-dev-allowlist.json npm-audit-dev-allowlist.json#1-6.

The script validate-npm-audit-dev-allowlist.mjs compares a full audit report against a runtime-only report. If a vulnerability exists in the full report but not the runtime report, it is checked against the allowlist scripts/validate-npm-audit-dev-allowlist.mjs#223-248. NPM Audit Validation Logic Sources: scripts/validate-npm-audit-dev-allowlist.mjs#226-250, scripts/validate-npm-audit-dev-allowlist.test.mjs#144-180

Static Analysis and Pattern Scanning

CodeQL Static Analysis

Palyra uses GitHub CodeQL to perform deep semantic analysis of the source code. The analysis is configured via .github/codeql/codeql-config.yml and covers:

Rust: Memory safety and logic errors.
JavaScript/TypeScript: XSS, injection, and logic flaws.
Actions: Security of the CI/CD workflows themselves.

The workflow uses build-mode: none for compiled languages to keep the security scan lightweight .github/workflows/codeql.yml#42-44.

High-Risk Pattern Scanning

The check-high-risk-patterns.sh script performs grep-based scans for dangerous coding patterns that might bypass sandbox controls, such as:

Unsanitized shell execution.
Direct filesystem access in sensitive modules.
Hardcoded credentials or insecure cryptographic defaults.

Sources: .github/workflows/security.yml#128-129, scripts/check-high-risk-patterns.sh#1-20

Secret Detection and Artifact Hygiene

Gitleaks

The project integrates gitleaks to detect secrets, API keys, and certificates in the commit history. It uses a custom configuration in .gitleaks.toml and generates SARIF reports for integration with the GitHub Security tab .github/workflows/security.yml#120-123.

Artifact Hygiene

The check-runtime-artifacts.sh script ensures that no sensitive files (like .env, private keys, or local SQLite databases) are accidentally included in the repository or build context .github/workflows/security.yml#125-126. This is reinforced by check-no-vendored-artifacts.sh which prevents the inclusion of binary blobs that haven’t been vetted .github/workflows/ci.yml#184-185.

Software Bill of Materials (SBOM)

Palyra generates a comprehensive SBOM in CycloneDX format for every release. This provides transparency into the transitive dependency tree.

Generation: cargo cyclonedx --format json --override-filename sbom .github/workflows/security.yml#131-132.
Collection: The workflow identifies all generated JSON files across the workspace and aggregates them into the security-artifacts bundle .github/workflows/security.yml#134-145.
Attestation: A placeholder for build attestation is generated, which is later populated during the release workflow to provide SLSA provenance .github/workflows/security.yml#147-148, .github/workflows/release.yml#21-22.

Artifact	Tool	Purpose
`npm-audit-runtime.json`	`npm audit`	Production JS dependency status
`osv-results.json`	`osv-scanner`	Multi-ecosystem vulnerability scan
`gitleaks-results.sarif`	`gitleaks`	Secret detection findings
`sbom*.json`	`cargo-cyclonedx`	Machine-readable dependency list

Sources: .github/workflows/security.yml#131-154, .github/workflows/release.yml#81-91

​Security Workflow Overview

​Supply Chain Data Flow

​Dependency Auditing

​Rust Audit and Governance

​NPM Audit and Dev-Allowlist

​Static Analysis and Pattern Scanning

​CodeQL Static Analysis

​High-Risk Pattern Scanning

​Secret Detection and Artifact Hygiene

​Gitleaks

​Artifact Hygiene

​Software Bill of Materials (SBOM)