From dc6486464336d14f270db96e6c8789028f170195 Mon Sep 17 00:00:00 2001 From: Andrey Nering Date: Sat, 9 May 2026 10:59:36 -0300 Subject: [PATCH] docs: add security > threat model page (#2830) --- website/.vitepress/config.ts | 4 + website/src/docs/security/index.md | 3 +- website/src/docs/security/threat-model.md | 174 ++++++++++++++++++++++ 3 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 website/src/docs/security/threat-model.md diff --git a/website/.vitepress/config.ts b/website/.vitepress/config.ts index c2cf94f5..92ad218a 100644 --- a/website/.vitepress/config.ts +++ b/website/.vitepress/config.ts @@ -470,6 +470,10 @@ export default defineConfig({ { text: 'Incident Response Plan', link: '/docs/security/incident-response-plan' + }, + { + text: 'Threat Model', + link: '/docs/security/threat-model' } ] }, diff --git a/website/src/docs/security/index.md b/website/src/docs/security/index.md index fbcb69e2..a80aef94 100644 --- a/website/src/docs/security/index.md +++ b/website/src/docs/security/index.md @@ -15,7 +15,8 @@ A member of the team will investigate as soon as possible and we will keep you updated throughout the process. You can read more about how we handle security-related issues in our [Incident -Response Plan][irp]. +Response Plan][irp] and [Threat Model][tm]. [pvr]: https://github.com/go-task/task/security/advisories/new [irp]: ./incident-response-plan +[tm]: ./threat-model diff --git a/website/src/docs/security/threat-model.md b/website/src/docs/security/threat-model.md new file mode 100644 index 00000000..7cd40ed2 --- /dev/null +++ b/website/src/docs/security/threat-model.md @@ -0,0 +1,174 @@ +--- +title: Threat Model +outline: deep +--- + +# Threat Model + +This document outlines the security threats, assets, and mitigations for the +Task project. It serves as a high-level, public guide and is published as part +of our commitment to transparency. + +## Asset Inventory + +### Critical Assets + +- **Source Code:** The Task CLI, build scripts, and configuration files + (e.g., `Taskfile.yml`, `.goreleaser.yml`). +- **Build Artifacts:** Compiled binaries, packages, and containers distributed + to users. +- **Secrets:** API tokens, signing keys, and repository credentials used in + CI/CD and release pipelines. +- **Release Metadata:** Version numbers, changelogs, and checksums. +- **CI/CD Pipelines & Runners:** GitHub Actions workflows that build, test, and + release the project. +- **Third-party Dependencies:** Go modules and tools used to build and + distribute Task. +- **Website & Documentation:** The taskfile.dev site and installation scripts. + +### Asset Locations + +- Local developer machines +- GitHub Actions runners +- GitHub Releases +- Public package registries (npm, Homebrew, Winget, Cloudsmith) +- Source control platforms (GitHub) +- Netlify (website hosting) + +## Threat Model + +### Actors + +- **Maintainers & Contributors:** Trusted users with varying levels of + repository access. +- **External Attackers:** Untrusted users seeking to compromise builds, + releases, or user systems. +- **Supply Chain Threats:** Malicious dependencies or compromised third-party + services. +- **CI/CD Systems:** Automated agents that may be exploited if misconfigured. + +### Entry Points + +- Source code contributions (pull requests, issues) +- Configuration files and build scripts +- CI/CD integration and environment variables +- Third-party dependencies +- Release pipelines and artifact repositories +- Remote Taskfile fetching (HTTP, Git) +- Installation scripts + +### Trust Boundaries + +- Between the project repository and the CI/CD environment +- Between Task and remote Taskfiles fetched over the network +- Between artifact generation and distribution channels +- Between the Task binary and user-defined shell commands + +### Threats + +#### Supply Chain Attacks + +- Compromised Go dependencies or build tools +- Unauthorized changes to source code or configuration +- Exploitation of third-party CI/CD or package registry services +- Compromised installation scripts or distribution channels + +#### Secrets Leakage + +- Exposure of tokens, credentials, or signing keys in logs, error messages, + or artifacts +- Hardcoded secrets in code or configuration +- Improper secret management in CI/CD environments + +#### Code Execution / Injection + +- Malicious code execution via compromised pull requests or dependencies +- Remote code execution vulnerabilities in Task or its dependencies +- **Note:** Task intentionally executes user-defined shell commands as part of + its core functionality. Users are responsible for the commands they define in + their Taskfiles. + +#### Unauthorized Access + +- Unauthorized users triggering releases or accessing sensitive artifacts +- Insecure permissions on runners, repositories, or artifact stores +- Compromised maintainer accounts + +#### Data Integrity & Tampering + +- Tampering with build artifacts, changelogs, or metadata +- Compromise of signing keys, leading to malicious releases +- Man-in-the-middle attacks against remote Taskfile fetching + +#### Denial of Service + +- Abuse of CI/CD resources, bandwidth, or artifact storage +- Overloading automated processes or API endpoints +- Malicious Taskfiles designed to exhaust system resources + +## Mitigations + +### Supply Chain Security + +- Pin dependencies and use trusted sources +- Mandatory code review and CI checks on all incoming pull requests +- Signed commits and release tags +- Enable immutable releases where supported +- Run `govulncheck` on every commit and tag +- Pin GitHub Actions to specific commit SHAs + +### Secrets Management + +- Secure storage using GitHub Secrets +- Never log or expose secrets in build or release outputs +- Regularly rotate secrets and monitor for suspicious activity +- Use least-privilege tokens scoped to specific repositories + +### Secure Code Execution + +- Validate and sanitize configuration files and user inputs +- Audit dependencies for vulnerabilities +- HTTP is rejected for remote Taskfiles by default (requires `--insecure` flag) +- TLS certificate verification for remote Git repositories + +### Access Control + +- Enforce least privilege for CI/CD runners, repositories, and artifact stores +- Require multi-factor authentication for maintainers +- Restrict release triggers to tagged releases only +- Lower permissions of less active maintainers + +### Artifact Integrity + +- Generate checksums for all release artifacts +- Distribute artifacts via trusted, access-controlled repositories +- Verify signatures and checksums in installation scripts where possible + +### Availability Protection + +- Implement rate limiting and resource quotas on CI/CD jobs +- Monitor for abnormal activity and automate alerts +- Set timeouts on network operations (e.g., remote Taskfile fetching) + +## Residual Risks + +- Zero-day vulnerabilities in dependencies, CI/CD systems, or Task itself +- Social engineering attacks targeting maintainers +- Unnoticed supply chain compromises +- Human error in configuration or secret management +- Users fetching malicious remote Taskfiles from untrusted sources + +## Security Best Practices + +- Regularly update dependencies and build tools +- Monitor security advisories and patch vulnerabilities promptly +- Educate contributors on secure coding and secrets hygiene +- Document security policies and incident response procedures + +## References + +- [Task Documentation](https://taskfile.dev/) +- [Incident Response Plan](./incident-response-plan) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Supply Chain Security](https://slsa.dev/) +- [GitHub Security Best Practices](https://docs.github.com/en/code-security)