leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
main
SKELETONKEY/.github/workflows/build.yml
T
leviathan 5b79b23ff2 ci: ASan/UBSan + clang-tidy lint + weekly drift check 
Three new jobs in build.yml:

1. sanitizers (clang + ASan/UBSan)
   Runs the same 88-test suite under AddressSanitizer +
   UndefinedBehaviorSanitizer. -fno-sanitize-recover=all so any
   finding fails CI loudly rather than scrolling past. -O1 + frame-
   pointers preserved for usable backtraces. CC=clang because clang's
   sanitizer integration is more mature than gcc's; gcc-built binaries
   still get exercised by the matrix in the main 'build' job.

2. clang-tidy (advisory)
   Lints core/ + skeletonkey.c (the files we control most directly;
   module sources often bundle published PoC code we keep close to
   upstream style, so they're excluded). continue-on-error: true for
   now so it sets a baseline without blocking merges; we can tighten
   incrementally as the warning surface shrinks.

3. drift-check (cron + workflow_dispatch)
   Runs weekly (Mon 06:00 UTC) and on-demand. Two sub-steps:
     - tools/refresh-cve-metadata.py --check  (CISA KEV + NVD CWE)
     - tools/refresh-kernel-ranges.py         (Debian security tracker)
   Both already exit non-zero on actionable drift. Network-required,
   so NOT gated on regular PR runs — random PRs shouldn't fail because
   CISA published a new KEV entry. The job runs ONLY on schedule +
   manual trigger (if: github.event_name == 'schedule' || ...).
   When it fires, the GH Actions warning annotation points the
   maintainer at the right refresh script to rerun + commit.

Smoke-tested locally:
  - macOS local ASan+UBSan build: kernel_range tests pass; detect()
    tests skipped (non-Linux platform stubs).
  - clang-tidy not installed locally; CI installs from apt.
2026-05-23 20:46:27 -04:00

196 lines
7.5 KiB
YAML
Raw Permalink Blame History

name: build
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Weekly drift check against CISA KEV + Debian security tracker.
# Runs Monday 06:00 UTC; reports any new backports / KEV additions
# that haven't propagated into the corpus yet.
- cron: '0 6 * * 1'
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
cc: [gcc, clang]
flavor: [default, debug]
name: build (${{ matrix.cc }} / ${{ matrix.flavor }})
steps:
- uses: actions/checkout@v4
- name: install build deps
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends \
build-essential clang make linux-libc-dev \
libglib2.0-dev pkg-config
- name: show compiler
run: ${{ matrix.cc }} --version
- name: build
env:
CC: ${{ matrix.cc }}
run: |
if [ "${{ matrix.flavor }}" = "debug" ]; then
make debug
else
make
fi
- name: sanity — skeletonkey --version
run: ./skeletonkey --version
- name: sanity — skeletonkey --list
run: ./skeletonkey --list
- name: sanity — skeletonkey --scan (no exploit; just detect)
run: ./skeletonkey --scan --no-color || true
# exit code may be nonzero (vulnerable host = exit 2, missing
# precond = exit 4) — that's diagnostic data, not CI failure
- name: sanity — --detect-rules auditd
run: ./skeletonkey --detect-rules --format=auditd | head -50
- name: sanity — --detect-rules sigma
run: ./skeletonkey --detect-rules --format=sigma | head -50
- name: tests — detect() unit suite
env:
CC: ${{ matrix.cc }}
run: |
# Run as a non-root user so modules' "already root" gates do
# not short-circuit before the synthetic host-fingerprint
# checks fire. The test binary itself is platform-agnostic;
# the assertions are #ifdef __linux__ guarded.
sudo useradd -m -s /bin/bash skeletonkeyci 2>/dev/null || true
sudo chown -R skeletonkeyci .
sudo -u skeletonkeyci make test
# ASan + UBSan run. clang-only; catches memory bugs and undefined
# behaviour the regular test suite can't see. Runs on the same 88
# tests as the main matrix; failures here are real bugs even if
# the assertions all pass.
sanitizers:
runs-on: ubuntu-latest
name: sanitizers (ASan + UBSan)
steps:
- uses: actions/checkout@v4
- name: install deps
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends \
build-essential clang make linux-libc-dev \
libglib2.0-dev pkg-config sudo
- name: build + test under sanitizers
env:
CC: clang
# AddressSanitizer + UndefinedBehaviorSanitizer. -O1 keeps
# backtraces meaningful while still exercising optimizer paths;
# -fno-omit-frame-pointer for ASan stack traces; halt-on-error
# so the first finding fails CI loudly rather than scrolling
# past silently.
CFLAGS: "-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined -fno-sanitize-recover=all -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"
LDFLAGS: "-fsanitize=address,undefined"
run: |
sudo useradd -m -s /bin/bash skeletonkeyci 2>/dev/null || true
sudo chown -R skeletonkeyci .
sudo -u skeletonkeyci -E make test
# clang-tidy lint. Runs against core/ + skeletonkey.c (the files we
# control most tightly). Non-blocking for now — sets a baseline we
# can tighten incrementally. Module sources are excluded; many
# bundle published PoC code that we keep close to upstream style.
clang-tidy:
runs-on: ubuntu-latest
name: clang-tidy
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: install deps
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends \
clang clang-tidy linux-libc-dev libglib2.0-dev pkg-config
- name: lint core + dispatcher
run: |
clang-tidy core/*.c skeletonkey.c \
--warnings-as-errors='' \
-- -Icore -Imodules/copy_fail_family/src \
-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
# Drift check — runs the two refresh scripts in --check / drift mode
# against authoritative federal sources. Catches:
# - New CISA KEV additions touching CVEs in our corpus
# - New Debian security-tracker backport-version updates that move
# the kernel_patched_from table thresholds
# Network-required (fetches kev.csv + Debian tracker JSON). Runs on
# the weekly cron + on-demand via workflow_dispatch. NOT gated on
# PRs because random PRs shouldn't fail on upstream feed drift.
drift-check:
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
name: drift-check (CISA KEV + Debian tracker)
steps:
- uses: actions/checkout@v4
- name: cve_metadata drift
run: |
# Exits 1 if the federal data has drifted from our committed
# JSON. Open a PR with `tools/refresh-cve-metadata.py` output
# if this fires.
python3 tools/refresh-cve-metadata.py --check || {
echo "::warning::cve_metadata drift detected — run tools/refresh-cve-metadata.py and commit the result"
exit 1
}
- name: kernel_range drift
run: |
# Exits 1 if any module's kernel_patched_from table is
# MISSING or TOO_TIGHT versus Debian's tracker. INFO-only
# findings are fine.
python3 tools/refresh-kernel-ranges.py || {
echo "::warning::kernel_range drift detected — see tools/refresh-kernel-ranges.py output"
exit 1
}
# Static build job: ensures the project links cleanly when -static is
# requested. Useful for deployment to minimal containers / fleet scans
# where shared-libc availability isn't guaranteed.
static-build:
runs-on: ubuntu-latest
name: static-build
steps:
- uses: actions/checkout@v4
- name: install build deps
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends \
build-essential make linux-libc-dev libc6-dev \
libglib2.0-dev pkg-config
- name: make static
# Glibc static linking pulls in NSS at runtime which breaks
# getpwnam; the legacy DIRTYFAIL Makefile noted this. For now,
# we allow this job to fail loudly so we know if a regression
# makes the regular dynamic build also break, but we don't
# gate the merge on it. Migrate to musl-gcc when we want a
# truly portable static binary.
continue-on-error: true
run: make static && ls -la skeletonkey
# Phase 4 followup (placeholder): kernel-VM matrix. Each entry runs
# the binary against a VM running a specific (vulnerable or patched)
# kernel and asserts the correct detect() verdict + exploit behavior.
# Requires self-hosted runners or a paid VM service; not enabled yet.
#
# kernel-vm-matrix:
# strategy:
# matrix:
# distro: [ubuntu-22.04, debian-11, alma-9, fedora-40]
# kernel: [5.10.50, 5.13.0, 5.15.30, 6.1.x, 6.12.x]
# runs-on: [self-hosted, kvm-host]
# ...
Reference in New Issue View Git Blame Copy Permalink