You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NFR-3 requires container escape regression tests in CI. During public repository cleanup, these should be pull request and push gates, not scheduled runs.
Scope
Add unit-level security tests for path, volume, hardening, and sync validation.
Add Docker live tests for socket inaccessibility, no-new-privileges, and capability dropping.
Validate seccomp profile JSON.
Keep workflows limited to push and pull_request triggers.
Skip live tests clearly when Docker is unavailable locally.
Acceptance Criteria
CI has no scheduled trigger.
Security unit tests run on pull requests.
Docker live test skip conditions are explicit.
Seccomp profile syntax and key restrictions are validated.
References
cage-demo/docs/PRD.md NFR-3
cage-demo/tests/integration/security_test.rs
cage-demo/seccomp/default.json
cage-demo/.github/workflows/security.yml
Technical Audit Addendum (2026-07-06)
Cover FR-5.10 here: enforce the no-shell-execution rule statically. Add clippy.tomldisallowed-methods/disallowed-types entries (or a grep-based CI step) that fail the build on Command::new("sh"|"bash"), .arg("-c") command-string construction, and similar shell-invocation patterns. This is the Rust equivalent of the PRD's gosec/bandit/shellcheck requirement, and no other issue covers it.
Traceability: map each security test to its STRIDE THREAT-ID (e.g. socket inaccessibility → THREAT-SEC-E-01, no-new-privileges → THREAT-SEC-E-02, traversal → THREAT-AS-T-01) in test names or a doc table, so coverage gaps against the threat model are visible.
Background
NFR-3 requires container escape regression tests in CI. During public repository cleanup, these should be pull request and push gates, not scheduled runs.
Scope
pushandpull_requesttriggers.Acceptance Criteria
References
cage-demo/docs/PRD.mdNFR-3cage-demo/tests/integration/security_test.rscage-demo/seccomp/default.jsoncage-demo/.github/workflows/security.ymlTechnical Audit Addendum (2026-07-06)
clippy.tomldisallowed-methods/disallowed-typesentries (or a grep-based CI step) that fail the build onCommand::new("sh"|"bash"),.arg("-c")command-string construction, and similar shell-invocation patterns. This is the Rust equivalent of the PRD's gosec/bandit/shellcheck requirement, and no other issue covers it.seccomp/default.json, assertdefaultActionand the presence of key restrictions, so a malformed profile cannot ship.CAGE_INTEGRATION_DOCKER=1+#[ignore]convention; on GitHub Actions only Linux runners have Docker, so macOS jobs must skip cleanly (see [Phase 3] Define and validate the platform support matrix (macOS/Linux/WSL2, runtimes) #28).