Security Scanning and Dependency Governance

Palyra implements a multi-layered security scanning and dependency governance strategy integrated directly into the CI/CD pipeline. This system ensures that vulnerabilities, secret leaks, and license non-compliance are detected before code reaches production. The primary enforcement mechanism is the security.yml workflow, which aggregates results from Rust-specific auditors, Node.js security tools, and global secret scanners.

Security Gates Workflow

The security-gates job in .github/workflows/security.yml serves as the central orchestrator for all security-related checks. It runs on ubuntu-latest and is triggered by other workflows (like release) or manually via workflow_dispatch .github/workflows/security.yml#1-14.

Supply Chain and Dependency Audit

Palyra employs several tools to audit its deep dependency tree across both Rust and JavaScript ecosystems:

npm audit: Specifically targets the @palyra/web workspace. It runs with --audit-level=high and --omit=dev to fail the build if production dependencies have high-severity vulnerabilities .github/workflows/security.yml#30-31.
cargo audit: Audits the Rust Cargo.lock file against the Advisory Database for crates with known vulnerabilities .github/workflows/security.yml#95-96.
osv-scanner: Uses Google’s OSV database to scan for vulnerabilities across multiple ecosystems simultaneously, providing a secondary layer of verification for the Cargo.lock .github/workflows/security.yml#101-104.
cargo deny: Enforces license compliance and detects duplicate dependency versions or “banned” crates .github/workflows/security.yml#98-99.

Secret Scanning and Pattern Detection

To prevent the accidental exposure of credentials, the pipeline uses both standardized tools and custom heuristics:

Gitleaks: Scans the entire repository history for secrets using the configuration in .gitleaks.toml .github/workflows/security.yml#120-123.
High-risk pattern scan: A custom script (scripts/check-high-risk-patterns.sh) uses rg (ripgrep) or grep to look for specific regex patterns like RSA/EC private keys, AWS Access Keys, and Slack tokens scripts/check-high-risk-patterns.sh#4-13.

Data Flow: Security Artifact Collection

The workflow consolidates all scan results into a security-artifacts directory for auditability and manual review. Security Scan Data Flow Sources: .github/workflows/security.yml#33-154, scripts/validate-npm-audit-dev-allowlist.mjs#198-250

npm Dev-Only Dependency Governance

Palyra uses a sophisticated allowlist system for JavaScript dependencies to distinguish between vulnerabilities that affect the production bundle and those limited to development tools (e.g., build scripts, linters).

Allowlist Validation Logic

The script scripts/validate-npm-audit-dev-allowlist.mjs compares a “full” audit (including devDependencies) against a “runtime” audit (production only).

Detection: If a vulnerability exists in the full report but not the runtime report, it is classified as dev-only scripts/validate-npm-audit-dev-allowlist.mjs#226-230.
Allowlist Check: The script checks if the vulnerability ID (GHSA or NPM ID) is present in npm-audit-dev-allowlist.json scripts/validate-npm-audit-dev-allowlist.mjs#235.
Expiry Enforcement: Allowlist entries must have an expires_on date. If an entry is expired, the script fails the build, forcing the team to re-evaluate the risk scripts/validate-npm-audit-dev-allowlist.mjs#178-196.

Dependency Governance Entities Sources: npm-audit-dev-allowlist.json#1-5, scripts/validate-npm-audit-dev-allowlist.mjs#178-220

CodeQL and Static Analysis

Deep static analysis is performed via GitHub CodeQL, configured in .github/workflows/codeql.yml.

Languages: Analyzes actions, javascript-typescript, and rust .github/workflows/codeql.yml#25.
Build Mode: For Rust, it uses build-mode: none to keep the CI lightweight while still performing semantic analysis .github/workflows/codeql.yml#44.
Exclusions: The analysis ignores third-party code in apps/desktop/src-tauri/third_party/** to focus on first-party vulnerabilities .github/codeql/codeql-config.yml#3-4.

SBOM and Attestation

For software supply chain transparency, Palyra generates a Software Bill of Materials (SBOM) and build attestations during the security gate phase.

SBOM Generation: Uses cargo-cyclonedx to generate a CycloneDX JSON SBOM covering the entire Rust workspace .github/workflows/security.yml#132.
Artifact Hygiene: The script scripts/check-runtime-artifacts.sh ensures that no unauthorized or sensitive files are included in the final build artifacts .github/workflows/security.yml#126.
Attestation: A placeholder attestation is generated via scripts/generate-attestation-placeholder.sh to be used by downstream release workflows for signing .github/workflows/security.yml#148.

Downstream glib Patch Governance

In specific cases where upstream vulnerabilities cannot be immediately resolved due to transitive dependency constraints, Palyra employs a “Downstream Patch” policy SECURITY.md#51-61.

Linux Desktop Runtime (glib)

The project maintains a patched version of glib located at apps/desktop/src-tauri/third_party/glib-0.18.5-patched to address GHSA-wrw7-89jp-8q8g SECURITY.md#64-65. The governance of this patch is enforced by scripts/check-desktop-glib-patch.sh, which is called during the security gates .github/workflows/security.yml#71. This script ensures:

The patch source is committed and hasn’t drifted.
Release-mode validation is performed for Linux targets SECURITY.md#59.
Documentation includes an exit plan to return to the upstream version once fixed SECURITY.md#60.

Sources: SECURITY.md#51-66, .github/workflows/security.yml#70-71

​Security Gates Workflow

​Supply Chain and Dependency Audit

​Secret Scanning and Pattern Detection

​Data Flow: Security Artifact Collection

​npm Dev-Only Dependency Governance

​Allowlist Validation Logic

​CodeQL and Static Analysis

​SBOM and Attestation

​Downstream glib Patch Governance

​Linux Desktop Runtime (glib)