23348892b9
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Failing after 36s
CLI Tests / test-cli (push) Failing after 3m9s
Documentation Validation / validate-docs (push) Successful in 8s
Integration Tests / test-service-integration (push) Failing after 3s
JavaScript SDK Tests / test-js-sdk (push) Successful in 7s
Package Tests / test-python-packages (map[name:aitbc-agent-sdk path:packages/py/aitbc-agent-sdk]) (push) Failing after 8s
Package Tests / test-python-packages (map[name:aitbc-core path:packages/py/aitbc-core]) (push) Failing after 29s
Package Tests / test-python-packages (map[name:aitbc-crypto path:packages/py/aitbc-crypto]) (push) Failing after 13s
Package Tests / test-python-packages (map[name:aitbc-sdk path:packages/py/aitbc-sdk]) (push) Failing after 16s
Package Tests / test-javascript-packages (map[name:aitbc-sdk-js path:packages/js/aitbc-sdk]) (push) Successful in 7s
Package Tests / test-javascript-packages (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Failing after 18s
Python Tests / test-python (push) Failing after 3m37s
Rust ZK Components Tests / test-rust-zk (push) Successful in 28s
Security Scanning / security-scan (push) Failing after 46s
Smart Contract Tests / test-solidity (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Failing after 18s
Smart Contract Tests / test-solidity (map[name:zk-circuits path:apps/zk-circuits]) (push) Failing after 43s
Smart Contract Tests / lint-solidity (push) Failing after 12s
Staking Tests / test-staking-service (push) Failing after 2m33s
Staking Tests / test-staking-integration (push) Has been skipped
Staking Tests / test-staking-contract (push) Has been skipped
Staking Tests / run-staking-test-runner (push) Has been skipped
Systemd Sync / sync-systemd (push) Failing after 4s
- Remove `|| echo "⚠️ ..."` fallbacks that masked failures - Add explicit `exit 1` on port readiness failures and missing test directories - Track port_ready flag in health check loops to fail if services don't start - Replace warning emoji (⚠️) with error emoji (❌) for actual failures - Fix docs-validation to use curated Markdown target list excluding high-noise directories - Update rust-zk-tests paths from gpu_acceleration/research to dev
97 lines
3.0 KiB
YAML
97 lines
3.0 KiB
YAML
name: Security Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
paths:
|
|
- 'apps/**'
|
|
- 'packages/**'
|
|
- 'cli/**'
|
|
- '.gitea/workflows/security-scanning.yml'
|
|
pull_request:
|
|
branches: [main, develop]
|
|
schedule:
|
|
- cron: '0 3 * * 1'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: security-scanning-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: debian
|
|
timeout-minutes: 15
|
|
|
|
steps:
|
|
- name: Clone repository
|
|
run: |
|
|
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
|
|
rm -rf "$WORKSPACE"
|
|
mkdir -p "$WORKSPACE"
|
|
cd "$WORKSPACE"
|
|
git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo
|
|
|
|
- name: Setup tools
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
|
|
# Ensure standard directories exist
|
|
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
|
|
|
|
python3 -m venv venv
|
|
source venv/bin/activate
|
|
pip install -q bandit pip-audit
|
|
echo "✅ Security tools installed"
|
|
|
|
- name: Python dependency audit
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
source venv/bin/activate
|
|
echo "=== Dependency Audit ==="
|
|
pip-audit -r requirements.txt --desc
|
|
echo "✅ Dependency audit completed"
|
|
|
|
- name: Bandit security scan
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
source venv/bin/activate
|
|
echo "=== Bandit Security Scan ==="
|
|
bandit -r apps/ packages/py/ cli/ \
|
|
-s B101,B311 \
|
|
--severity-level medium \
|
|
-f txt -q
|
|
echo "✅ Bandit scan completed"
|
|
|
|
- name: Check for secrets
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
echo "=== Secret Detection ==="
|
|
# Simple pattern check for leaked secrets
|
|
secret_matches=$(mktemp)
|
|
password_matches=$(mktemp)
|
|
|
|
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
|
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
|
|
|
if [[ -s "$secret_matches" ]]; then
|
|
echo "❌ Possible secrets found"
|
|
cat "$secret_matches"
|
|
rm -f "$secret_matches" "$password_matches"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -s "$password_matches" ]]; then
|
|
echo "❌ Possible hardcoded passwords"
|
|
head -5 "$password_matches"
|
|
rm -f "$secret_matches" "$password_matches"
|
|
exit 1
|
|
fi
|
|
|
|
rm -f "$secret_matches" "$password_matches"
|
|
echo "✅ No hardcoded secrets detected"
|
|
|
|
- name: Cleanup
|
|
if: always()
|
|
run: rm -rf /var/lib/aitbc-workspaces/security-scan
|