Skip to content

Security: sebastienrousseau/noya-cli

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.0.x Yes

noya-cli follows the ADR-0005 strict-lockstep versioning contract. Every release is coordinated with noyalib at the same version.

Reporting a Vulnerability

Email sebastian.rousseau@gmail.com. Do not open a public issue for security reports.

Include: description, steps to reproduce, affected versions, suggested fix (optional). Initial response within 48h; fix or mitigation plan within 7 days.

Threat Model — CLI-Specific

noya-cli ships two binaries: noyafmt (formatter) and noyavalidate (schema validator + autofixer). Threat model:

  • Untrusted YAML files on disk: every file the CLI reads goes through the same parser hardening as the library. DoS budgets (max_depth, max_document_length, max_alias_expansions) apply.
  • --fix mode: mutates files in place. Callers must understand the operation is destructive to the source file; version-control it before --fix.
  • --schema URL mode: fetches a JSON Schema over HTTPS. Only fetches from URLs the caller supplied — no automatic resolution.
  • Config file discovery: reads .noyafmt.toml from CWD + upwards. Malicious config files in a repo can influence format behaviour; never run noyafmt on an untrusted repo in a security-sensitive context.

Security Design

Inherits every security invariant from parent noyalib: #[forbid(unsafe_code)], no C deps, parser DoS guards.

Supply Chain

  • cargo-deny in CI (advisories + bans + licenses + sources).
  • All GitHub Actions SHA-pinned.
  • CI composed from sebastienrousseau/noyalib's shared reusable workflows.
  • Cargo.lock committed for deterministic builds.

Build Provenance & Artefact Signing

Each release ships with:

  1. SLSA Level 3 build provenance via actions/attest-build-provenance.
  2. Keyless sigstore signatures (Fulcio + Rekor) on every published .crate and pre-built binary.
  3. Multi-arch binaries (noyafmt-<version>-<triple>.tar.gz + .zip) attached to each GitHub Release with cosign bundles.
  4. SBOM attached to each GitHub Release.

Commit Integrity

Every commit on main must be signed. CI rejects unsigned PR commits via shared-verify-signatures.yml.

There aren't any published security advisories