Security Scanning & Supply Chain

The Palyra security gate workflow is a multi-layered defense-in-depth pipeline designed to ensure the integrity of the software supply chain, prevent secret leakage, and identify vulnerabilities in both Rust and TypeScript components. These gates are enforced through GitHub Actions and must pass before any code is merged or released.

Security Gate Architecture

The security pipeline is primarily defined in .github/workflows/security.yml and is triggered on workflow calls or manual dispatch .github/workflows/security.yml#1-5. It integrates specialized scanners for different layers of the stack: Rust dependencies, NPM packages, static analysis, and secret detection.

System Data Flow

The following diagram illustrates how security artifacts and scan results flow through the pipeline to reach a “Pass/Fail” decision. Security Scan Data Flow Sources: .github/workflows/security.yml#11-156, .github/workflows/codeql.yml#18-48

Rust Supply Chain Security

Palyra employs three distinct tools to audit the Rust dependency graph, ensuring that vulnerabilities are caught even if one tool’s database is lagging.

cargo-audit: Scans Cargo.lock against the Advisory Database (RUSTSEC) .github/workflows/security.yml#95-96.
cargo-deny: Enforces a strict policy on licenses, duplicate dependencies, and banned crates .github/workflows/security.yml#98-99.
osv-scanner: Uses Google’s Open Source Vulnerabilities (OSV) database to provide an additional layer of dependency scanning .github/workflows/security.yml#101-104.

Downstream Patch Governance

In rare cases where an upstream vulnerability cannot be resolved due to transitive constraints (e.g., the Tauri Linux stack constraining glib), Palyra uses a “Downstream Patch” model SECURITY.md#51-61.

Mechanism: The crate is vendored in third_party/ and overridden via [patch.crates-io] apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#27-33.
Enforcement: The script scripts/check-desktop-glib-patch.sh validates the SHA-256 checksum of the patched files during every security run .github/workflows/security.yml#70-71, apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#52-53.

Sources: .github/workflows/security.yml#70-104, SECURITY.md#51-65, apps/desktop/src-tauri/docs/security/advisories/GHSA-wrw7-89jp-8q8g.md#1-88

TypeScript & NPM Security

The web console and desktop UI dependencies are audited using a split-level strategy to distinguish between production risks and development-only tool vulnerabilities.

NPM Audit & Dev Allowlist

The pipeline runs npm audit with --omit=dev to block any high-severity runtime vulnerabilities .github/workflows/security.yml#30-31. For development dependencies (e.g., build tools), Palyra uses an allowlist mechanism:

npm-audit-dev-allowlist.json: Contains approved exceptions for dev-only advisories with an expiration date npm-audit-dev-allowlist.json#1-6.
validate-npm-audit-dev-allowlist.mjs: A script that compares the full audit against the runtime audit. If a vulnerability exists only in devDependencies and is present in the allowlist (and not expired), the gate passes scripts/validate-npm-audit-dev-allowlist.test.mjs#71-106.

NPM Security Validation Logic Sources: .github/workflows/security.yml#30-64, scripts/validate-npm-audit-dev-allowlist.test.mjs#71-181

Static Analysis & Secret Scanning

Gitleaks

The gitleaks tool is used to detect hardcoded secrets (API keys, tokens, certificates) across the entire repository history .github/workflows/security.yml#120-123. It uses a custom configuration in .gitleaks.toml to reduce false positives while maintaining high sensitivity for model provider keys (OpenAI, Anthropic).

CodeQL Static Analysis

CodeQL performs deep semantic analysis of the codebase to identify security patterns like SSRF, SQL injection, and memory safety issues.

Languages: Actions, JavaScript/TypeScript, and Rust .github/workflows/codeql.yml#25.
Configuration: Managed via .github/codeql/codeql-config.yml .github/workflows/codeql.yml#41.
Build Mode: Uses build-mode: none for lightweight CI execution where supported .github/workflows/codeql.yml#44.

High-Risk Pattern Scan

A custom script scripts/check-high-risk-patterns.sh performs grep-based checks for dangerous coding patterns that might bypass standard linters, such as unsafe Rust blocks without documentation or unauthorized use of specific sensitive APIs .github/workflows/security.yml#128-129. Sources: .github/workflows/security.yml#106-129, .github/workflows/codeql.yml#1-48, CODEOWNERS#8-13

SBOM & Provenance

Palyra generates a Software Bill of Materials (SBOM) for every release to provide transparency into the supply chain.

Generation: Uses cargo-cyclonedx to produce a JSON SBOM in the CycloneDX format .github/workflows/security.yml#131-132.
Artifact Collection: SBOM files are aggregated from across the workspace and uploaded as security artifacts .github/workflows/security.yml#134-145.
Attestation: A placeholder for build attestation is generated via scripts/generate-attestation-placeholder.sh .github/workflows/security.yml#147-148, which is later finalized during the release process to provide SLSA-compliant provenance .github/workflows/release.yml#21-22.

Security Artifacts Manifest

Artifact	Source Tool	Purpose
`osv-results.json`	`osv-scanner`	Comprehensive dependency vulnerability report
`gitleaks-results.sarif`	`gitleaks`	Secret scanning findings in SARIF format
`npm-audit-dev-summary.json`	`validate-npm-audit-dev-allowlist.mjs`	Summary of allowed vs. blocked JS advisories
`sbom*.json`	`cargo-cyclonedx`	Machine-readable dependency inventory

Sources: .github/workflows/security.yml#131-156, .github/workflows/release.yml#19-22

​Security Gate Architecture

​System Data Flow

​Rust Supply Chain Security

​Downstream Patch Governance

​TypeScript & NPM Security

​NPM Audit & Dev Allowlist

​Static Analysis & Secret Scanning

​Gitleaks

​CodeQL Static Analysis

​High-Risk Pattern Scan

​SBOM & Provenance

​Security Artifacts Manifest