From a05bb30e9c28dd1be190bbc05500fee01d3d1db0 Mon Sep 17 00:00:00 2001 From: Marco Allegretti Date: Sun, 22 Feb 2026 21:08:10 +0100 Subject: [PATCH] fix: supply chain credential test false positive, verify-docs SIGPIPE - Credential injection test: search for actual fake credential values instead of env var name patterns (AWS_SECRET_ACCESS_KEY is intentionally in security.rs denied_env_vars list) - Verify-docs: add || true after head -50 pipe to prevent SIGPIPE exit code with pipefail enabled --- .github/workflows/supply-chain-test.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/supply-chain-test.yml b/.github/workflows/supply-chain-test.yml index 8016eb5..7fc2864 100644 --- a/.github/workflows/supply-chain-test.yml +++ b/.github/workflows/supply-chain-test.yml @@ -700,7 +700,9 @@ jobs: - name: "Test: No credential strings in binary" run: | set -euo pipefail - for TERM in "sk-FAKE" "SUPER-SECRET" "ghp_FAKE" "GITHUB_TOKEN" "wJalrXUtnFEMI" "AWS_SECRET" "cio_FAKE"; do + # Search for actual fake credential values, not env var names. + # AWS_SECRET_ACCESS_KEY appears intentionally in security.rs denied_env_vars. + for TERM in "sk-FAKE-SUPER-SECRET" "ghp_FAKE_GITHUB_TOKEN" "wJalrXUtnFEMI/K7MDENG" "cio_FAKE_REGISTRY"; do if strings target/release/karapace | grep -qi "$TERM"; then echo "FATAL: $TERM leaked into binary" exit 1 @@ -797,7 +799,7 @@ jobs: echo "karapace-dbus: VERIFIED" echo "=== Step 3: Inspect SBOM ===" - python3 -m json.tool karapace_bom.json | head -50 + python3 -m json.tool karapace_bom.json | head -50 || true echo "SBOM is valid JSON" echo "=== ALL verification.md commands executed successfully ==="