Skip to content

pipelines: go: add assert-no-crypto check #74719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
markusboehme wants to merge 3 commits into
base: main
Choose a base branch
from
Open

pipelines: go: add assert-no-crypto check #74719

markusboehme wants to merge 3 commits into from
+26 −7

Conversation

@markusboehme
Copy link
Member

@markusboehme markusboehme commented Dec 5, 2025

Move the no-cryptography check from gops.yaml into the new go/assert-no-crypto pipeline. Then use it to ensure the build of iptables-wrappers can be used in an environment requiring FIPS compliance.

@markusboehme
pipelines: go: add assert-no-crypto check
466e934 
Add the go/assert-no-crypto pipeline to check that a Go module build
does not import any crypto packages. Package builds can use that to
ensure they are usable in FIPS context.

This takes the code of the check from gops.yaml in preparation of
further use.

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme requested a review from xnox December 5, 2025 11:30
@markusboehme markusboehme requested a review from a team as a code owner December 5, 2025 11:30
@markusboehme
Copy link
Member Author

markusboehme commented Dec 5, 2025

epoch-bot is failing, but I'm intentionally not bumping the epoch since this is a build-time check that is not affecting the output.

@xnox
Copy link
Member

xnox commented Dec 5, 2025

epoch-bot is failing, but I'm intentionally not bumping the epoch since this is a build-time check that is not affecting the output.

please bump the epoch - the rebuild is cheap; and we want to see the CI run to see that the build passes with this change.

xnox
xnox requested changes Dec 5, 2025
View reviewed changes
Copy link
Member

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please rebuild both packages.

@markusboehme
gops: use new go/assert-no-crypto pipeline
6b5562b 
The new go/assert-no-crypto pipeline is using the open-coded check from
gops.yaml verbatim. Switch to using the pipeline instead.

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme
iptables-wrappers: ensure package is not using any cryptography
ad83df5 
To be able to use iptables-wrappers in a FIPS context, ensure it is not
using any cryptography.

Signed-off-by: Markus Boehme <markus.boehme@chainguard.dev>
@markusboehme markusboehme requested a review from xnox December 5, 2025 11:50
@octo-sts octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xnox xnox Awaiting requested review from xnox

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@markusboehme @xnox