Feature: Slack Notification Provider

.docker/compose/docker-compose.local.yml

@@ -47,7 +47,7 @@ services:
 #      - <PATH_TO_YOUR_CADDYFILE>:/import/Caddyfile:ro
 #      - <PATH_TO_YOUR_SITES_DIR>:/import/sites:ro # If your Caddyfile imports other files
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

.docker/compose/docker-compose.playwright-ci.yml

@@ -87,7 +87,7 @@ services:
       - playwright_caddy_config:/config
       - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8080/api/v1/health"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 5s
       timeout: 3s
       retries: 12

.docker/compose/docker-compose.playwright-local.yml

@@ -52,7 +52,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro # For container discovery in tests
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 5s
       timeout: 5s
       retries: 10

.docker/compose/docker-compose.yml

@@ -52,7 +52,7 @@ services:
       # - ./my-existing-Caddyfile:/import/Caddyfile:ro
       # - ./sites:/import/sites:ro # If your Caddyfile imports other files
     healthcheck:
-      test: ["CMD-SHELL", "curl -fsS http://localhost:8080/api/v1/health || exit 1"]
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:8080/api/v1/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

.docker/docker-entrypoint.sh

@@ -365,7 +365,7 @@ echo "Caddy started (PID: $CADDY_PID)"
 echo "Waiting for Caddy admin API..."
 i=1
 while [ "$i" -le 30 ]; do
-    if curl -sf http://127.0.0.1:2019/config/ > /dev/null 2>&1; then
+    if wget -qO /dev/null http://127.0.0.1:2019/config/ 2>/dev/null; then
         echo "Caddy is ready!"
         break
     fi

.github/workflows/auto-changelog.yml

@@ -21,6 +21,6 @@ jobs:
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
       - name: Draft Release
-        uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6
+        uses: release-drafter/release-drafter@3a7fb5c85b80b1dda66e1ccb94009adbbd32fce3 # v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/auto-versioning.yml

@@ -89,7 +89,7 @@ jobs:
 
       - name: Create GitHub Release (creates tag via API)
         if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }}
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
         with:
           tag_name: ${{ steps.determine_tag.outputs.tag }}
           name: Release ${{ steps.determine_tag.outputs.tag }}

.github/workflows/cerberus-integration.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run Cerberus integration tests

.github/workflows/codeql.yml

@@ -52,7 +52,7 @@ jobs:
         run: bash scripts/ci/check-codeql-parity.sh
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -92,10 +92,10 @@ jobs:
         run: mkdir -p sarif-results
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4
         with:
           category: "/language:${{ matrix.language }}"
           output: sarif-results/${{ matrix.language }}

.github/workflows/crowdsec-integration.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run CrowdSec integration tests

.github/workflows/docker-build.yml

@@ -565,7 +565,7 @@ jobs:
 
       - name: Upload Trivy results
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-results.sarif'
           category: '.github/workflows/docker-build.yml:build-and-push'
@@ -724,30 +724,30 @@ jobs:
 
       - name: Upload Trivy scan results
         if: always() && steps.trivy-pr-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: 'docker-pr-image'
 
       - name: Upload Trivy compatibility results (docker-build category)
         if: always() && steps.trivy-pr-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: '.github/workflows/docker-build.yml:build-and-push'
         continue-on-error: true
 
       - name: Upload Trivy compatibility results (docker-publish alias)
         if: always() && steps.trivy-pr-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: '.github/workflows/docker-publish.yml:build-and-push'
         continue-on-error: true
 
       - name: Upload Trivy compatibility results (nightly alias)
         if: always() && steps.trivy-pr-check.outputs.exists == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-pr-results.sarif'
           category: 'trivy-nightly'

.github/workflows/nightly-build.yml

@@ -451,7 +451,7 @@ jobs:
           trivyignores: '.trivyignore'
 
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4.33.0
         with:
           sarif_file: 'trivy-nightly.sarif'
           category: 'trivy-nightly'

.github/workflows/rate-limit-integration.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run rate limit integration tests

.github/workflows/renovate.yml

@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 1
 
       - name: Run Renovate
-        uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
+        uses: renovatebot/github-action@abd08c7549b2a864af5df4a2e369c43f035a6a9d # v46.1.5
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/security-pr.yml

@@ -240,7 +240,7 @@ jobs:
       - name: Download PR image artifact
         if: github.event_name == 'workflow_run' || github.event_name == 'workflow_dispatch'
         # actions/download-artifact v4.1.8
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+        uses: actions/download-artifact@484a0b528fb4d7bd804637ccb632e47a0e638317
         with:
           name: ${{ steps.check-artifact.outputs.artifact_name }}
           run-id: ${{ steps.check-artifact.outputs.run_id }}
@@ -385,7 +385,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@1a97b0f94ec9297d6f58aefe5a6b5441c045bed4
+        uses: github/codeql-action/upload-sarif@7dd76e6bf79d24133aa649887a6ee01d8b063816
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}

.github/workflows/security-weekly-rebuild.yml

@@ -113,7 +113,7 @@ jobs:
           version: 'v0.69.3'
 
       - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: 'trivy-weekly-results.sarif'
 

.github/workflows/supply-chain-pr.yml

@@ -362,7 +362,7 @@ jobs:
 
       - name: Upload SARIF to GitHub Security
         if: steps.check-artifact.outputs.artifact_found == 'true'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4
         continue-on-error: true
         with:
           sarif_file: grype-results.sarif
@@ -381,9 +381,12 @@ jobs:
 
       - name: Comment on PR
         if: steps.set-target.outputs.image_name != '' && steps.pr-number.outputs.is_push != 'true' && steps.pr-number.outputs.pr_number != ''
+        continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
+
           PR_NUMBER="${{ steps.pr-number.outputs.pr_number }}"
           COMPONENT_COUNT="${{ steps.sbom-count.outputs.component_count }}"
           CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
@@ -429,29 +432,38 @@ jobs:
           EOF
           )
 
-          # Find and update existing comment or create new one
-          COMMENT_ID=$(gh api \
+          # Fetch existing comments — skip gracefully on 403 / permission errors
+          COMMENTS_JSON=""
+          if ! COMMENTS_JSON=$(gh api \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-            --jq '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" 2>/dev/null); then
+            echo "⚠️ Cannot access PR comments (likely token permissions / fork / event context). Skipping PR comment."
+            exit 0
+          fi
 
-          if [[ -n "${COMMENT_ID}" ]]; then
+          COMMENT_ID=$(echo "${COMMENTS_JSON}" | jq -r '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+
+          if [[ -n "${COMMENT_ID:-}" && "${COMMENT_ID}" != "null" ]]; then
             echo "📝 Updating existing comment..."
-            gh api \
-              --method PATCH \
+            if ! gh api --method PATCH \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to update comment (permissions?). Skipping."
+              exit 0
+            fi
           else
             echo "📝 Creating new comment..."
-            gh api \
-              --method POST \
+            if ! gh api --method POST \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to create comment (permissions?). Skipping."
+              exit 0
+            fi
           fi
 
           echo "✅ PR comment posted"

.github/workflows/waf-integration.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Build Docker image (Local)
         run: |
           echo "Building image locally for integration tests..."
-          docker build -t charon:local .
+          docker build -t charon:local --build-arg CI="${CI:-false}" .
           echo "✅ Successfully built charon:local"
 
       - name: Run WAF integration tests

.github/workflows/weekly-nightly-promotion.yml

@@ -200,8 +200,8 @@ jobs:
     runs-on: ubuntu-latest
     if: needs.check-nightly-health.outputs.is_healthy == 'true'
     outputs:
-      pr_number: ${{ steps.create-pr.outputs.pr_number }}
-      pr_url: ${{ steps.create-pr.outputs.pr_url }}
+      pr_number: ${{ steps.create-pr.outputs.pr_number || steps.existing-pr.outputs.pr_number }}
+      pr_url: ${{ steps.create-pr.outputs.pr_url || steps.existing-pr.outputs.pr_url }}
       skipped: ${{ steps.check-diff.outputs.skipped }}
 
     steps:

.grype.yaml

@@ -4,61 +4,6 @@
 # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
 
 ignore:
-  # CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
-  # Severity: CRITICAL
-  # Package: zlib 1.3.1-r2 (Alpine Linux base image)
-  # Status: No upstream fix available as of 2026-01-16
-  #
-  # Vulnerability Details:
-  # - Global buffer overflow in TGZfname() function
-  # - Unbounded strcpy() allows attacker-controlled archive names
-  # - Can lead to memory corruption, DoS, potential RCE
-  #
-  # Risk Assessment: ACCEPTED (Low exploitability in Charon context)
-  # - Charon does not use untgz utility directly
-  # - No untrusted tar archive processing in application code
-  # - Attack surface limited to OS-level utilities
-  # - Multiple layers of containerization and isolation
-  #
-  # Mitigation:
-  # - Monitor Alpine Linux security feed daily for zlib patches
-  # - Container runs with minimal privileges (no-new-privileges)
-  # - Read-only filesystem where possible
-  # - Network isolation via Docker networks
-  #
-  # Review:
-  # - Daily checks for Alpine security updates
-  # - Automatic re-scan via CI/CD on every commit
-  # - Manual review scheduled for 2026-01-23 (7 days)
-  #
-  # Removal Criteria:
-  # - Alpine releases zlib 1.3.1-r3 or higher with CVE fix
-  # - OR upstream zlib project releases patched version
-  # - Remove this suppression immediately after fix available
-  #
-  # References:
-  # - CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-22184
-  # - Alpine Security: https://security.alpinelinux.org/
-  # - GitHub Issue: https://github.com/Wikid82/Charon/issues/TBD
-  - vulnerability: CVE-2026-22184
-    package:
-      name: zlib
-      version: "1.3.1-r2"
-      type: apk  # Alpine package
-    reason: |
-      CRITICAL buffer overflow in untgz utility. No fix available from Alpine
-      as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
-      process untrusted tar archives. Attack surface limited to base OS utilities.
-      Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-03-14"  # Re-evaluate in 7 days
-
-    # Action items when this suppression expires:
-    # 1. Check Alpine security feed: https://security.alpinelinux.org/
-    # 2. Check zlib releases: https://github.com/madler/zlib/releases
-    # 3. If fix available: Update Dockerfile, rebuild, remove suppression
-    # 4. If no fix: Extend expiry by 7 days, document justification
-    # 5. If extended 3+ times: Escalate to security team for review
-
   # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
   # Severity: HIGH (CVSS 8.1)
   # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
@@ -98,7 +43,8 @@ ignore:
   # Review:
   # - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
   #   no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
-  # - Next review: 2026-03-05. Remove suppression immediately once upstream fixes.
+  # - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
+  # - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
   #
   # Removal Criteria:
   # - smallstep/certificates releases a stable version requiring nebula v1.10+
@@ -118,11 +64,11 @@ ignore:
       type: go-module
     reason: |
       HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
-      Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-02-19)
+      Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
       still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does
       not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
-      Reviewed 2026-02-19: no new smallstep release changes this assessment.
-    expiry: "2026-03-05"  # Re-evaluate in 14 days (2026-02-19 + 14 days)
+      Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
+    expiry: "2026-04-12"  # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
 
     # Action items when this suppression expires:
     # 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases