Do not open a public issue. Email the maintainer (Aaron K. Clark —
cryptojones@owasp.org) with details and a way to reproduce. You'll get an acknowledgement
within a few days.
Scylla parses adversarial input — the binaries it analyzes are hostile by assumption. The architecture contains that risk at the seams rather than trusting the parser:
- Sandbox the engine producer (DD-014). The component that actually parses a binary is the engine (GayHydra / Ghidra), run as a separate, sandboxed producer. The durable Rust core sits outside that blast radius — a malformed binary can crash or abuse the engine without reaching the model, the ports, or the heads.
- Inherit GayHydra's hardening (DD-029). Scylla wraps the hardened fork, which carries the Rec 18/19 deserialization fixes and the Rec 33/34 IPC modernization. We do not re-introduce the un-hardened paths.
- The model artifact is data, not code. The Cap'n Proto
.scyllaartifact is parse-on-read with bounds; loading one never executes it. - Signed releases (keyless). Release artifacts are signed with Sigstore keyless cosign
(
.github/workflows/release.yml) — there is no signing key to steal or rotate: the signature is bound to the release workflow's GitHub Actions OIDC identity via Fulcio, with public proof in the Rekor transparency log. See Verifying a release below.
The deliberate seam-by-seam analysis lives in THREAT-MODEL.md — trust
boundaries, the three untrusted inputs (the binary, the .scylla artifact, analysis-derived
text), and the mitigations + residual gaps at each seam. It surfaced four open gaps, all tracked
in BACKLOG.md; the highest-priority is that the MCP head does not yet delimit
attacker-controlled analysis content as untrusted — the named prompt-injection threat (DD-035).
Each release artifact ships with a *.cosign.bundle (signature + certificate + Rekor proof). There
is no public key to fetch — keyless verification checks the artifact was signed by this repo's
release workflow and nothing else:
cosign verify-blob \
--bundle scylla-linux-x86_64.cosign.bundle \
--certificate-identity-regexp '^https://github\.com/CryptoJones/Scylla/\.github/workflows/release\.yml@refs/tags/v.*$' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
scylla-linux-x86_64A Verified OK means the bytes were signed by the Scylla release workflow at a real version tag —
not by someone who stole a key (there is none) or rebuilt the binary elsewhere. Pin the identity
regexp; do not relax the issuer.
The engine-service sandbox image is signed the same way (pushed to ghcr.io, keyless). Verify
the image you pull before you run a parser inside it:
cosign verify ghcr.io/cryptojones/scylla-engine-service:vX.Y.Z \
--certificate-identity-regexp '^https://github\.com/CryptoJones/Scylla/\.github/workflows/release\.yml@refs/tags/v.*$' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com'