oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
214c1b65ec5a362736bce980ed44a29afe9db75c
aitbc/.gitea/workflows/security-scanning.yml
aitbc 5ffba8fb1f
Some checks failed
Cross-Node Transaction Testing / transaction-test (push) Has been cancelled
Details
Deploy to Testnet / deploy-testnet (push) Has been cancelled
Details
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Details
API Endpoint Tests / test-api-endpoints (push) Successful in 29s
Details
CLI Tests / test-cli (push) Failing after 13s
Details
Contract Performance Benchmarks / benchmark-gas-usage (push) Successful in 1m39s
Details
Contract Performance Benchmarks / benchmark-execution-time (push) Successful in 1m30s
Details
Contract Performance Benchmarks / benchmark-throughput (push) Successful in 1m33s
Details
Documentation Validation / validate-docs (push) Failing after 12s
Details
Documentation Validation / validate-policies-strict (push) Successful in 4s
Details
Integration Tests / test-service-integration (push) Successful in 2m42s
Details
JavaScript SDK Tests / test-js-sdk (push) Successful in 8s
Details
Multi-Chain Island Architecture Tests / test-multi-chain-island (push) Successful in 3s
Details
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 3s
Details
P2P Network Verification / p2p-verification (push) Successful in 3s
Details
Package Tests / Python package - aitbc-agent-sdk (push) Failing after 33s
Details
Package Tests / Python package - aitbc-core (push) Successful in 17s
Details
Package Tests / Python package - aitbc-crypto (push) Successful in 12s
Details
Package Tests / Python package - aitbc-sdk (push) Successful in 13s
Details
Package Tests / JavaScript package - aitbc-sdk-js (push) Successful in 7s
Details
Package Tests / JavaScript package - aitbc-token (push) Successful in 16s
Details
Production Tests / Production Integration Tests (push) Failing after 7s
Details
Python Tests / test-python (push) Failing after 47s
Details
Rust ZK Components Tests / test-rust-zk (push) Successful in 38s
Details
Security Scanning / security-scan (push) Successful in 38s
Details
Smart Contract Tests / test-solidity (map[name:aitbc-contracts path:contracts]) (push) Failing after 1m41s
Details
Smart Contract Tests / test-solidity (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Successful in 16s
Details
Smart Contract Tests / test-foundry (push) Failing after 16s
Details
Smart Contract Tests / lint-solidity (push) Successful in 22s
Details
Smart Contract Tests / deploy-contracts (push) Successful in 1m47s
Details
Staking Tests / test-staking-service (push) Failing after 4s
Details
Staking Tests / test-staking-integration (push) Has been skipped
Details
Staking Tests / test-staking-contract (push) Has been skipped
Details
Staking Tests / run-staking-test-runner (push) Has been skipped
Details
Systemd Sync / sync-systemd (push) Successful in 27s
Details
Contract Performance Benchmarks / compare-benchmarks (push) Successful in 2s
Details
ci: refactor Gitea workflows to use environment variables for workspace paths 
- Added WORKSPACE env variable to all workflow jobs
- Changed hardcoded workspace paths to use ${{ env.WORKSPACE }}
- Updated paths in api-endpoint-tests.yml, build-miner-binary.yml, cli-level1-tests.yml, contract-benchmarks.yml, cross-node-transaction-testing.yml, and deployment-tests.yml
- Standardized workspace path references across all workflow files
2026-05-11 14:52:36 +02:00

282 lines
11 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: Security Scanning
on:
push:
branches: [main, develop]
paths:
- 'apps/**'
- 'packages/**'
- 'cli/**'
- 'contracts/**'
- '.gitea/workflows/security-scanning.yml'
pull_request:
branches: [main, develop]
workflow_dispatch:
concurrency:
group: security-scanning-${{ github.ref }}
cancel-in-progress: true
jobs:
security-scan:
runs-on: debian
timeout-minutes: 15
env:
WORKSPACE: /var/lib/aitbc-workspaces/security-scan
steps:
- name: Clone repository
run: |
rm -rf "${{ env.WORKSPACE }}"
mkdir -p "${{ env.WORKSPACE }}"
cd "${{ env.WORKSPACE }}"
git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
cd repo
git fetch --depth 2 origin "${{ github.ref }}"
git checkout --detach FETCH_HEAD
- name: Initialize job logging
run: |
cd "${{ env.WORKSPACE }}/repo"
bash scripts/ci/setup-job-logging.sh
- name: Setup tools
run: |
cd "${{ env.WORKSPACE }}/repo"
# Ensure standard directories exist
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
# Remove any existing venv to avoid cache corruption issues
rm -rf venv
bash scripts/ci/setup-python-venv.sh \
--repo-dir "$PWD" \
--venv-dir "$PWD/venv" \
--skip-requirements \
--extra-packages "bandit pip-audit"
echo "✅ Security tools installed"
- name: Python dependency audit
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== Dependency Audit ==="
venv/bin/pip-audit -r requirements.txt --desc
echo "✅ Dependency audit completed"
- name: Bandit security scan
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== Bandit Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
venv/bin/bandit -r apps/ packages/py/ cli/ \
-s B101,B311 \
--severity-level medium \
-f txt -q
else
mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
if [[ ${#python_files[@]} -eq 0 ]]; then
echo "✅ No changed Python files to scan"
exit 0
fi
printf '%s\n' "${python_files[@]}"
venv/bin/bandit \
-s B101,B311 \
--severity-level medium \
-f txt -q \
"${python_files[@]}"
fi
echo "✅ Bandit scan completed"
- name: Check for secrets
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== Secret Detection ==="
# Simple pattern check for leaked secrets
secret_matches=$(mktemp)
password_matches=$(mktemp)
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
else
mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
if [[ ${#changed_files[@]} -eq 0 ]]; then
echo "✅ No changed files to scan for secrets"
rm -f "$secret_matches" "$password_matches"
exit 0
fi
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
fi
if [[ -s "$secret_matches" ]]; then
echo "❌ Possible secrets found"
cat "$secret_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
if [[ -s "$password_matches" ]]; then
echo "❌ Possible hardcoded passwords"
head -5 "$password_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
rm -f "$secret_matches" "$password_matches"
echo "✅ No hardcoded secrets detected"
- name: Smart contract security scan
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== Smart Contract Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t contract_files < <(find contracts/contracts -name "*.sol" 2>/dev/null || true)
else
mapfile -t contract_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^contracts/.*\.sol$' || true)
fi
if [[ ${#contract_files[@]} -eq 0 ]]; then
echo "✅ No changed Solidity files to scan"
exit 0
fi
printf '%s\n' "${contract_files[@]}"
# Check for common smart contract vulnerabilities using grep patterns
vuln_found=false
# Check for tx.origin authentication (vulnerable to phishing)
if grep -rn "tx\.origin" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock"; then
echo "❌ VULNERABILITY: tx.origin usage detected (vulnerable to phishing attacks)"
vuln_found=true
fi
# Check for low-level calls without proper checks
if grep -rn "\.call\|\.delegatecall\|\.send" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|reentrancy"; then
echo "⚠️ WARNING: Low-level calls detected (ensure reentrancy guards are in place)"
fi
# Check for unchecked return values
if grep -rn "\.transfer\|\.send" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock" | grep -v "require\|if"; then
echo "⚠️ WARNING: Possible unchecked return values on transfer/send"
fi
# Check for missing onlyOwner on sensitive functions
if grep -rn "function.*mint\|function.*burn\|function.*pause" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock" | grep -v "onlyOwner\|onlyRole"; then
echo "⚠️ WARNING: Sensitive functions without access control detected"
fi
# Check for floating pragma (should lock to specific version)
if grep -rn "pragma solidity \^" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock"; then
echo "⚠️ WARNING: Floating pragma detected (consider locking to specific version)"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ Smart contract vulnerabilities found"
exit 1
fi
echo "✅ Smart contract security scan completed"
- name: Circom circuit security check
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== Circom Circuit Security Check ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t circuit_files < <(find apps/zk-circuits -name "*.circom" 2>/dev/null || true)
else
mapfile -t circuit_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/zk-circuits/.*\.circom$' || true)
fi
if [[ ${#circuit_files[@]} -eq 0 ]]; then
echo "✅ No changed Circom files to scan"
exit 0
fi
printf '%s\n' "${circuit_files[@]}"
vuln_found=false
# Check for incorrect constraint patterns
if grep -rn "learning_rate.*1.*-.*learning_rate.*===.*learning_rate" "${circuit_files[@]}" 2>/dev/null; then
echo "❌ VULNERABILITY: Incorrect learning rate constraint detected"
vuln_found=true
fi
# Check for placeholder/mock implementations
if grep -rn "mock\|placeholder\|TODO.*implement" "${circuit_files[@]}" 2>/dev/null | grep -i "constraint\|signal"; then
echo "⚠️ WARNING: Placeholder implementations detected in circuits"
fi
# Check for missing input validation
if grep -rn "signal input" "${circuit_files[@]}" 2>/dev/null; then
echo " INFO: Review input validation for all signal inputs"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ Circom circuit vulnerabilities found"
exit 1
fi
echo "✅ Circom circuit security check completed"
- name: ZK proof implementation security check
run: |
cd "${{ env.WORKSPACE }}/repo"
echo "=== ZK Proof Implementation Security Check ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t zk_files < <(find apps/coordinator-api/src/app/services -name "*zk*.py" 2>/dev/null || true)
mapfile -t zk_routers < <(find apps/coordinator-api/src/app/routers -name "*zk*.py" 2>/dev/null || true)
else
mapfile -t zk_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/coordinator-api/src/app/services/.*zk.*\.py$' || true)
mapfile -t zk_routers < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/coordinator-api/src/app/routers/.*zk.*\.py$' || true)
fi
if [[ ${#zk_files[@]} -eq 0 && ${#zk_routers[@]} -eq 0 ]]; then
echo "✅ No changed ZK-related files to scan"
exit 0
fi
all_zk_files=("${zk_files[@]}" "${zk_routers[@]}")
printf '%s\n' "${all_zk_files[@]}"
vuln_found=false
# Check for mock verification implementations
if grep -rn "mock.*verification\|return.*verified.*True\|TODO.*actual verification" "${all_zk_files[@]}" 2>/dev/null | grep -v "example\|test"; then
echo "❌ VULNERABILITY: Mock ZK proof verification detected"
vuln_found=true
fi
# Check for weak validation (length checks only)
if grep -rn "len(.*proof).*>" "${all_zk_files[@]}" 2>/dev/null | grep -v "example\|test"; then
echo "⚠️ WARNING: Weak proof validation (length checks only)"
fi
# Check for missing input validation
if grep -rn "def.*generate.*proof" "${all_zk_files[@]}" 2>/dev/null; then
echo " INFO: Ensure all proof generation functions validate inputs"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ ZK proof implementation vulnerabilities found"
exit 1
fi
echo "✅ ZK proof implementation security check completed"
- name: Cleanup
if: always()
run: rm -rf "${{ env.WORKSPACE }}"
Reference in New Issue View Git Blame Copy Permalink