Skip to content

[Phase 3] Add security regression tests to CI #18

Description

@Saber5656

Background

NFR-3 requires container escape regression tests in CI. During public repository cleanup, these should be pull request and push gates, not scheduled runs.

Scope

  • Add unit-level security tests for path, volume, hardening, and sync validation.
  • Add Docker live tests for socket inaccessibility, no-new-privileges, and capability dropping.
  • Validate seccomp profile JSON.
  • Keep workflows limited to push and pull_request triggers.
  • Skip live tests clearly when Docker is unavailable locally.

Acceptance Criteria

  • CI has no scheduled trigger.
  • Security unit tests run on pull requests.
  • Docker live test skip conditions are explicit.
  • Seccomp profile syntax and key restrictions are validated.

References

  • cage-demo/docs/PRD.md NFR-3
  • cage-demo/tests/integration/security_test.rs
  • cage-demo/seccomp/default.json
  • cage-demo/.github/workflows/security.yml

Technical Audit Addendum (2026-07-06)

  • Cover FR-5.10 here: enforce the no-shell-execution rule statically. Add clippy.toml disallowed-methods/disallowed-types entries (or a grep-based CI step) that fail the build on Command::new("sh"|"bash"), .arg("-c") command-string construction, and similar shell-invocation patterns. This is the Rust equivalent of the PRD's gosec/bandit/shellcheck requirement, and no other issue covers it.
  • Seccomp JSON validation (with [Phase 1] Enforce container hardening and resource limits #9): CI should parse seccomp/default.json, assert defaultAction and the presence of key restrictions, so a malformed profile cannot ship.
  • Traceability: map each security test to its STRIDE THREAT-ID (e.g. socket inaccessibility → THREAT-SEC-E-01, no-new-privileges → THREAT-SEC-E-02, traversal → THREAT-AS-T-01) in test names or a doc table, so coverage gaps against the threat model are visible.
  • Live-test gating: keep the legacy CAGE_INTEGRATION_DOCKER=1 + #[ignore] convention; on GitHub Actions only Linux runners have Docker, so macOS jobs must skip cleanly (see [Phase 3] Define and validate the platform support matrix (macOS/Linux/WSL2, runtimes) #28).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions