From 11c5018a47bf6531cbbb44a15ba3cc1ab6b1eb93 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 14 Dec 2023 12:56:11 +0100
Subject: [PATCH] CI: Enable more compiler hardening options during our CI run

Based on the OpenSSF compiler options hardening guide for C and
C++: https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++
---
 tasks.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tasks.py b/tasks.py
index e745d5ee77..599f769056 100644
--- a/tasks.py
+++ b/tasks.py
@@ -406,6 +406,9 @@ def get_cflags():
         "-Werror=shadow",
         "-Wformat=2",
         "-Werror=format-security",
+        "-fstack-clash-protection",
+        "-fstack-protector-strong",
+        "-fcf-protection=full",
         "-Werror=string-plus-int" if is_compiler_clang() else '',
     ])
 
-- 
2.47.2