Security Gates & Dependency Governance

Palyra implements a multi-layered security architecture designed to enforce supply chain integrity, secret redaction, and dependency governance. This is primarily orchestrated through the Security Gates workflow, which integrates Rust-native auditing tools, Node.js vulnerability scanning with a custom dev-allowlist mechanism, and automated policy enforcement for third-party patches.

Security Workflow Orchestration

The security posture is enforced by .github/workflows/security.yml, which runs on every workflow_dispatch and as part of the release process. It aggregates results from multiple scanners into a unified set of security artifacts.

Data Flow: Security Scanning Pipeline

The following diagram illustrates how various security tools interact with the codebase and produce the final audit report. Security Gate Execution Flow Sources: .github/workflows/security.yml#11-156, .github/workflows/codeql.yml#19-48

Dependency Governance Tools

Rust Dependency Auditing

Palyra uses three distinct tools to manage the Rust supply chain:

cargo-audit: Scans Cargo.lock against the Advisory Database for crates with known vulnerabilities .github/workflows/security.yml#95-96.
cargo-deny: Enforces license compliance and bans specific crates or multiple versions. The configuration in deny.toml allows specific licenses like Apache-2.0, MIT, and the custom LicenseRef-Palyra-Community-Source-1.1 deny.toml#10-20.
osv-scanner: Uses Google’s OSV database to provide an additional layer of vulnerability detection, outputting results to security-artifacts/osv-results.json .github/workflows/security.yml#101-104.

Node.js Dev-Allowlist Mechanism

To manage vulnerabilities in development-only dependencies (which do not affect the production bundle), Palyra implements a “dev-allowlist” strategy.

Execution: npm audit is run with --omit=dev to check production risks first .github/workflows/security.yml#30-31.
Validation: The script scripts/validate-npm-audit-dev-allowlist.mjs compares a full audit against a runtime-only audit. If a high-severity vulnerability exists only in devDependencies, it must be documented in npm-audit-dev-allowlist.json with an expiration date .github/workflows/security.yml#56-64, npm-audit-dev-allowlist.json#1-6.
Enforcement: The validator fails if an entry is expired or if a vulnerability is found in the runtime graph that isn’t allowlisted scripts/validate-npm-audit-dev-allowlist.test.mjs#71-106.

Sources: .github/workflows/security.yml#30-64, deny.toml#1-111, npm-audit-dev-allowlist.json#1-6, scripts/validate-npm-audit-dev-allowlist.test.mjs#1-181

Downstream Patch Governance

In cases where an upstream vulnerability (e.g., GHSA-wrw7-89jp-8q8g in glib) cannot be resolved due to transitive dependency constraints in the Tauri/GTK stack, Palyra employs a “Downstream Patch” policy.

Implementation: The glib Patch

Vendoring: The patched crate is stored in apps/desktop/src-tauri/third_party/glib-0.18.5-patched apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#27-29.
Override: The workspace Cargo.toml uses [patch.crates-io] to force the resolution to the local patched version apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#33-33.
Governance Check: A dedicated script, scripts/check-desktop-glib-patch.sh, verifies the file checksums and governance metadata (PALYRA_PATCH_GOVERNANCE.env) to ensure the patch hasn’t been tampered with or become stale apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#47-53.

Patch Verification Logic Sources: apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#1-88, .github/workflows/security.yml#70-71

Secret Scanning & Static Analysis

Gitleaks

The pipeline installs and runs gitleaks to detect hardcoded secrets, tokens, or private keys across the entire repository history. It generates a SARIF report for integration with GitHub’s security dashboard .github/workflows/security.yml#106-124.

CodeQL

Palyra uses GitHub CodeQL for semantic code analysis across three languages: rust, javascript-typescript, and actions. The analysis is configured via .github/codeql/codeql-config.yml and runs on a weekly schedule or on PRs .github/workflows/codeql.yml#1-48.

SBOM Generation

Software Bill of Materials (SBOM) are generated using cargo-cyclonedx. This produces machine-readable JSON files (sbom.json) that document every component and version used in the Rust workspace, facilitating transparency and downstream compliance .github/workflows/security.yml#131-146. Sources: .github/workflows/security.yml#106-146, .github/workflows/codeql.yml#1-48

Dependency Review Workflow

For every Pull Request, the dependency-review.yml workflow triggers the actions/dependency-review-action. This tool analyzes the Cargo.lock and package-lock.json changes to identify:

New vulnerabilities introduced by the PR.
Incompatible license changes.
Significant dependency version jumps.

This acts as a preventative gate before code is merged into the main branch .github/workflows/dependency-review.yml#1-35. Sources: .github/workflows/dependency-review.yml#1-35

​Security Workflow Orchestration

​Data Flow: Security Scanning Pipeline

​Dependency Governance Tools

​Rust Dependency Auditing

​Node.js Dev-Allowlist Mechanism

​Downstream Patch Governance

​Implementation: The glib Patch

​Secret Scanning & Static Analysis

​Gitleaks

​CodeQL

​SBOM Generation

​Dependency Review Workflow