Skip to content

fix: address security alerts (workflow permissions + cryptography CVEs)#21

Merged
reubenmiller merged 3 commits intomainfrom
fix/security-alerts
Apr 21, 2026
Merged

fix: address security alerts (workflow permissions + cryptography CVEs)#21
reubenmiller merged 3 commits intomainfrom
fix/security-alerts

Conversation

@reubenmiller
Copy link
Copy Markdown
Contributor

@reubenmiller reubenmiller commented Apr 21, 2026
edited
Loading

Summary

Fixes open security alerts from code scanning and Dependabot (excluding code scanning alert #1 which is a known/accepted risk).

Code Scanning Alerts Fixed

  • 2, 3, 4 actions/missing-workflow-permissions: Added explicit permissions blocks to lint, approve, and passed jobs in .github/workflows/test.yaml to restrict the scope of the GITHUB_TOKEN following the principle of least privilege:
    • lintcontents: read (required for checkout)
    • approve{} (no repository access needed)
    • passed{} (no repository access needed)

Dependabot Alerts Fixed

  • 2 (high) CVE-2026-26007: cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves — fixed in 46.0.5
  • 3 (low) CVE-2026-34073: cryptography has incomplete DNS name constraint enforcement on peer names — fixed in 46.0.6

Bumped cryptography from >= 44.0.2, < 45.0.0 to >= 46.0.6, < 47.0.0.

Commits

  1. ci: add explicit permissions to workflow jobs — fixes code scanning alerts fix: only initialize session when used #2, ci: switch to pull_request_target event #3, test: use random policy names #4
  2. build: bump cryptography to >= 46.0.6 to fix CVEs — fixes Dependabot alerts fix: only initialize session when used #2 and ci: switch to pull_request_target event #3

@reubenmiller reubenmiller temporarily deployed to Test Pull Request April 21, 2026 21:00 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 21, 2026
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
26 0 0 26 100 12.650092s

Passed Tests

Name ⏱️ Duration Suite
Get IoT Url 0.562 s Account
Get Account ID 0.323 s Account
Create certificate key pair 0.392 s Certificates
Create CSR using AWS CA 0.448 s Certificates
Upload self-signed certificate 0.381 s Certificates
Create Certificate and Thing 0.768 s Composite
Start/stop MQTT logger 0.589 s Logger
Assert message count 2.646 s Logger
Assert MQTT message 2.617 s Logger
Create a new Policy 0.166 s Policies
Deleting a non-existent Policy should not throw an error 0.079 s Policies
Deleting a non-existent Policy should throw an error 0.079 s Policies
Assert that a policy exists 0.168 s Policies
Fails if policy does not exist 0.075 s Policies
Create Thing with auto cleanup 0.155 s Thing
Create Thing with Principal 0.583 s Thing
Delete Thing 0.236 s Thing
Delete non-existent thing 0.074 s Thing
Check if thing exists 0.075 s Thing
Throws an error if thing exists 2.228 s Thing
Get Local Command Topic 0.001 s Topics
Get Cloud Command Topic 0.001 s Topics
Get Telemetry Topic 0.001 s Topics
Get Registration Topic 0.001 s Topics
Get cloud topic for the AWS shadow 0.001 s Topics
Get local topic for the AWS shadow 0.001 s Topics

@reubenmiller
ci: add explicit permissions to workflow jobs
dd4736b 
Add explicit permissions blocks to lint, approve, and passed jobs to
restrict the scope of the GITHUB_TOKEN following the principle of least
privilege.

Fixes code scanning alerts #2, #3, #4 (actions/missing-workflow-permissions)
@reubenmiller
build: bump cryptography to >= 46.0.6 to fix CVEs
7583c62 
Update cryptography minimum version from 44.0.2 to 46.0.6 to address
two security vulnerabilities:

- CVE-2026-26007 (high): Vulnerable to a Subgroup Attack Due to Missing
  Subgroup Validation for SECT Curves (fixed in 46.0.5)
- CVE-2026-34073 (low): Incomplete DNS name constraint enforcement on
  peer names (fixed in 46.0.6)

Fixes Dependabot alerts #2 and #3
@reubenmiller reubenmiller temporarily deployed to Test Pull Request April 21, 2026 21:17 — with GitHub Actions Inactive
@reubenmiller reubenmiller merged commit 95e6359 into main Apr 21, 2026
20 of 21 checks passed
@reubenmiller reubenmiller deleted the fix/security-alerts branch April 21, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reubenmiller