Security Gates & Supply Chain

The Palyra security architecture relies on a multi-layered automation pipeline designed to enforce supply chain integrity, prevent secret leakage, and identify high-risk code patterns before they reach production. This system integrates Rust-specific auditing, NPM dependency validation, static analysis, and a formal governance process for downstream patches.

Security Automation Pipeline

The primary security gate is implemented as a reusable GitHub Actions workflow in .github/workflows/security.yml 1-11. This workflow aggregates multiple scanning tools into a single blocking check for the CI/CD process.

Pipeline Architecture & Data Flow

The following diagram illustrates how security artifacts are generated and validated across different toolchains. Security Gate Execution Flow Sources: .github/workflows/security.yml#11-156, .github/workflows/codeql.yml#18-48

Supply Chain Integrity

Palyra employs distinct strategies for managing Rust and Node.js dependencies to minimize the attack surface of the final binaries.

Rust Dependency Auditing

The workspace uses three complementary tools to monitor Rust crates:

cargo-audit: Scans Cargo.lock against the RustSec Advisory Database .github/workflows/security.yml#95-96.
cargo-deny: Enforces organizational policies on licenses, banned crates, and source requirements .github/workflows/security.yml#98-99.
osv-scanner: Provides an additional layer of vulnerability detection using Google’s Open Source Vulnerabilities (OSV) database, configured via osv-scanner.toml .github/workflows/security.yml#101-104.

NPM Dev-Allowlist System

To avoid blocking CI on non-critical vulnerabilities in build-time tools (e.g., eslint), Palyra implements a strict separation between runtime and development dependencies.

Audit Logic: The pipeline runs npm audit twice: once for production dependencies (--omit=dev) and once for the full tree .github/workflows/security.yml#30-54.
Validator: The scripts/validate-npm-audit-dev-allowlist.mjs script compares these reports against npm-audit-dev-allowlist.json scripts/validate-npm-audit-dev-allowlist.mjs#198-250.
Expiration Policy: Allowlist entries are time-bound. If an entry’s expires_on date passes, the gate fails, forcing a re-evaluation of the risk scripts/validate-npm-audit-dev-allowlist.mjs#178-196.

Sources: .github/workflows/security.yml#56-63, npm-audit-dev-allowlist.json#1-5, scripts/validate-npm-audit-dev-allowlist.test.mjs#71-106

Downstream Patch Governance

In cases where an upstream vulnerability (e.g., GHSA-wrw7-89jp-8q8g in glib) cannot be resolved due to transitive constraints in the Tauri Linux stack, Palyra uses a “Vendor & Patch” strategy SECURITY.md#51-66.

Implementation: The `glib` Case Study

The glib crate is patched to fix a memory safety issue (VariantStrIter UB) while maintaining compatibility with the GTK 0.18 lineage apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#10-45. Patch Governance Components

Component	Description
Vendored Source	Located at `apps/desktop/src-tauri/third_party/glib-0.18.5-patched` apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#29
Governance Contract	`PALYRA_PATCH_GOVERNANCE.env` defines the owner, checksum, and exit strategy apps/desktop/src-tauri/third_party/glib-0.18.5-patched/PALYRA_PATCH_GOVERNANCE.env#1-14
Verification Script	`scripts/check-desktop-glib-patch.sh` validates the file integrity and crate resolution apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#58-61
Regression Test	`tests/glib_variantstriter_regression.rs` ensures the fix remains effective apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#62-64

Sources: SECURITY.md#62-66, apps/desktop/src-tauri/docs/security/dependency-graph/glib.md#13-35

Static Analysis & Pattern Scanning

Beyond dependency management, the codebase is subjected to several layers of static analysis:

Secret Scanning: gitleaks is executed with a custom configuration (.gitleaks.toml) to detect committed credentials or private keys .github/workflows/security.yml#120-123.
High-Risk Patterns: The scripts/check-high-risk-patterns.sh script uses grep-based rules to find dangerous functions or insecure configurations (e.g., hardcoded IP addresses or disabled TLS validation) .github/workflows/security.yml#128-129.
CodeQL: GitHub’s CodeQL engine performs deep semantic analysis for Rust, JavaScript/TypeScript, and GitHub Actions workflows .github/workflows/codeql.yml#19-48.
Artifact Hygiene: scripts/check-runtime-artifacts.sh ensures that no sensitive local files (like .env or sqlite databases) are accidentally included in the build context .github/workflows/security.yml#125-126.

Software Bill of Materials (SBOM)

As part of the release readiness gate, Palyra generates a CycloneDX SBOM for the Rust workspace.

Generation: The cargo-cyclonedx tool produces a JSON manifest of all compiled components .github/workflows/security.yml#131-132.
Collection: All generated sbom*.json files are collected and bundled into the security-artifacts archive for auditability .github/workflows/security.yml#134-145.
Attestation: A placeholder for build attestations is generated, which is later populated by the GitHub attest-build-provenance action during the release process .github/workflows/security.yml#147-148, .github/workflows/release.yml#22.

Sources: .github/workflows/security.yml#79-80, .github/workflows/release.yml#87-88

​Security Automation Pipeline

​Pipeline Architecture & Data Flow

​Supply Chain Integrity

​Rust Dependency Auditing

​NPM Dev-Allowlist System

​Downstream Patch Governance

​Implementation: The glib Case Study

​Static Analysis & Pattern Scanning

​Software Bill of Materials (SBOM)