Automated Security Pipeline
The primary entry point for security validation is thesecurity.yml workflow. This workflow runs a battery of scanners targeting different layers of the stack, from crate dependencies to hardcoded secrets.
Workflow Orchestration
Thesecurity-gates job performs the following sequence:
- Node.js Audit: Executes
npm auditwith specific logic to differentiate between runtime and development vulnerabilities .github/workflows/security.yml#30-64. - Rust Audit: Uses
cargo auditto checkCargo.lockagainst the Advisory Database .github/workflows/security.yml#95-96. - Policy Enforcement: Uses
cargo denyto enforce license compliance and ban specific crates .github/workflows/security.yml#98-99. - Vulnerability Scanning: Runs
osv-scanner(Google’s Open Source Vulnerability scanner) for cross-ecosystem coverage .github/workflows/security.yml#101-104. - Secret Scanning: Executes
gitleaksto detect committed secrets or high-risk patterns .github/workflows/security.yml#120-124. - SBOM Generation: Produces CycloneDX-formatted SBOMs for all workspace crates .github/workflows/security.yml#131-132.
Data Flow: Security Scanning
The following diagram illustrates how security artifacts are generated and validated during the CI process. Security Gate Data Flow Sources: .github/workflows/security.yml#30-130, scripts/validate-npm-audit-dev-allowlist.mjs#198-250Node.js Dependency Governance
Palyra employs a strict “No High/Critical vulnerabilities in production” policy for the web dashboard and desktop UI. However, development-only tools (like build-time bundlers) often have transient vulnerabilities that do not impact the shipped runtime.npm Audit Allowlist Mechanism
The project uses a custom script,scripts/validate-npm-audit-dev-allowlist.mjs, to manage this distinction.
- Dual Auditing: The CI runs
npm audittwice: once for the full tree and once with--omit=dev.github/workflows/security.yml#53-54. - Allowlist Filtering: Any vulnerability found in the “Full” report but not in the “Runtime” report is checked against
npm-audit-dev-allowlist.json.github/workflows/npm-audit-dev-allowlist.json#1-5. - Expiry Enforcement: Allowlist entries must have an
expires_ondate. If an entry is expired, the CI fails even if the vulnerability is still present .scripts/validate-npm-audit-dev-allowlist.mjs#220-222.
| Field | Description |
|---|---|
id | The GHSA or NPM advisory ID. |
expires_on | ISO date (YYYY-MM-DD) when the exception expires. |
owner | The maintainer responsible for the exception. |
reason | Technical justification for why this is safe in dev-only. |
Rust Security and SBOM
Cargo Audit and Deny
Rust dependencies are managed via two primary tools:- cargo-audit: Scans
Cargo.lockfor crates with reported security vulnerabilities in the RustSec Advisory Database .github/workflows/security.yml#95-96. - cargo-deny: Checks for unauthorized licenses and ensures that no “yanked” or banned versions of crates are introduced .github/workflows/security.yml#98-99.
SBOM Generation
For every release-ready build, the system generates a Software Bill of Materials usingcargo-cyclonedx.
- Command:
cargo cyclonedx --format json --override-filename sbom.github/workflows/security.yml#132. - Artifacts: These files are collected and uploaded as
security-artifactsto provide transparency into the final binary’s composition .github/workflows/security.yml#136-156.
Specialized Governance
Desktop glib Patch Governance
Palyra maintains a specific security policy for upstream vulnerabilities that cannot be immediately resolved due to transitive constraints. A notable example isGHSA-wrw7-89jp-8q8g in the glib crate, used by the desktop Linux runtime.
- Implementation: The project maintains a patched version in
apps/desktop/src-tauri/third_party/glib-0.18.5-patchedSECURITY.md#62-65. - CI Enforcement: The script
scripts/check-desktop-glib-patch.shis executed in the security gate to ensure the patch remains applied and hasn’t been accidentally regressed .github/workflows/security.yml#70-71.
Static Analysis and CodeQL
In addition to dependency scanning, the repository uses GitHub CodeQL for deep semantic analysis of the source code.- Languages: Actions, JavaScript/TypeScript, and Rust .github/workflows/codeql.yml#25.
- Configuration: Specific paths like
third_partyare ignored to focus on first-party code .github/codeql/codeql-config.yml#3-5. - Build Mode: Uses
build-mode: nonefor lightweight CI integration .github/workflows/codeql.yml#44.
Summary of Security Tools
| Tool | Target | Purpose |
|---|---|---|
cargo audit | Cargo.lock | Rust vulnerability scanning .github/workflows/security.yml#95-96. |
cargo deny | Rust Workspace | License and crate policy enforcement .github/workflows/security.yml#98-99. |
osv-scanner | Multi-ecosystem | Google OSV database check .github/workflows/security.yml#101-104. |
npm audit | package-lock.json | Node.js vulnerability scanning .github/workflows/security.yml#30-31. |
gitleaks | Git History | Secret and credential detection .github/workflows/security.yml#120-124. |
cargo cyclonedx | Workspace | SBOM generation .github/workflows/security.yml#131-132. |
CodeQL | Source Code | Semantic vulnerability analysis .github/workflows/codeql.yml#1-48. |