eb94a69a5f
Some checks failed
Blockchain Synchronization Verification / sync-verification (push) Failing after 7s
Contract Performance Benchmarks / benchmark-gas-usage (push) Successful in 1m3s
Contract Performance Benchmarks / benchmark-execution-time (push) Successful in 1m1s
Contract Performance Benchmarks / benchmark-throughput (push) Successful in 58s
Deploy to Testnet / deploy-testnet (push) Failing after 1m7s
P2P Network Verification / p2p-verification (push) Successful in 2s
Security Scanning / security-scan (push) Successful in 29s
Contract Performance Benchmarks / compare-benchmarks (push) Successful in 1s
Deploy to Testnet / notify-deployment (push) Successful in 2s
- Remove cron schedules from blockchain-sync-verification.yml (every 6 hours) - Remove cron schedule from node-failover-simulation.yml (daily at 2 AM) - Remove cron schedule from p2p-network-verification.yml (every 4 hours) - Remove cron schedule from security-scanning.yml (weekly on Monday) - Remove cron schedule from contract-benchmarks.yml (weekly on Sunday) - All workflows now only trigger on push or manual workflow_dispatch
136 lines
4.8 KiB
YAML
136 lines
4.8 KiB
YAML
name: Security Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
paths:
|
|
- 'apps/**'
|
|
- 'packages/**'
|
|
- 'cli/**'
|
|
- '.gitea/workflows/security-scanning.yml'
|
|
pull_request:
|
|
branches: [main, develop]
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: security-scanning-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: debian
|
|
timeout-minutes: 15
|
|
|
|
steps:
|
|
- name: Clone repository
|
|
run: |
|
|
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
|
|
rm -rf "$WORKSPACE"
|
|
mkdir -p "$WORKSPACE"
|
|
cd "$WORKSPACE"
|
|
git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
|
|
cd repo
|
|
git fetch --depth 2 origin "${{ github.ref }}"
|
|
git checkout --detach FETCH_HEAD
|
|
|
|
- name: Initialize job logging
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
bash scripts/ci/setup-job-logging.sh
|
|
|
|
- name: Setup tools
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
|
|
# Ensure standard directories exist
|
|
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
|
|
|
|
# Remove any existing venv to avoid cache corruption issues
|
|
rm -rf venv
|
|
|
|
bash scripts/ci/setup-python-venv.sh \
|
|
--repo-dir "$PWD" \
|
|
--venv-dir "$PWD/venv" \
|
|
--skip-requirements \
|
|
--extra-packages "bandit pip-audit"
|
|
|
|
echo "✅ Security tools installed"
|
|
|
|
- name: Python dependency audit
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
echo "=== Dependency Audit ==="
|
|
venv/bin/pip-audit -r requirements.txt --desc
|
|
echo "✅ Dependency audit completed"
|
|
|
|
- name: Bandit security scan
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
echo "=== Bandit Security Scan ==="
|
|
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
|
venv/bin/bandit -r apps/ packages/py/ cli/ \
|
|
-s B101,B311 \
|
|
--severity-level medium \
|
|
-f txt -q
|
|
else
|
|
mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
|
|
|
|
if [[ ${#python_files[@]} -eq 0 ]]; then
|
|
echo "✅ No changed Python files to scan"
|
|
exit 0
|
|
fi
|
|
|
|
printf '%s\n' "${python_files[@]}"
|
|
venv/bin/bandit \
|
|
-s B101,B311 \
|
|
--severity-level medium \
|
|
-f txt -q \
|
|
"${python_files[@]}"
|
|
fi
|
|
echo "✅ Bandit scan completed"
|
|
|
|
- name: Check for secrets
|
|
run: |
|
|
cd /var/lib/aitbc-workspaces/security-scan/repo
|
|
echo "=== Secret Detection ==="
|
|
# Simple pattern check for leaked secrets
|
|
secret_matches=$(mktemp)
|
|
password_matches=$(mktemp)
|
|
|
|
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
|
|
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
|
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
|
else
|
|
mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
|
|
|
|
if [[ ${#changed_files[@]} -eq 0 ]]; then
|
|
echo "✅ No changed files to scan for secrets"
|
|
rm -f "$secret_matches" "$password_matches"
|
|
exit 0
|
|
fi
|
|
|
|
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
|
|
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
|
|
fi
|
|
|
|
if [[ -s "$secret_matches" ]]; then
|
|
echo "❌ Possible secrets found"
|
|
cat "$secret_matches"
|
|
rm -f "$secret_matches" "$password_matches"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -s "$password_matches" ]]; then
|
|
echo "❌ Possible hardcoded passwords"
|
|
head -5 "$password_matches"
|
|
rm -f "$secret_matches" "$password_matches"
|
|
exit 1
|
|
fi
|
|
|
|
rm -f "$secret_matches" "$password_matches"
|
|
echo "✅ No hardcoded secrets detected"
|
|
|
|
- name: Cleanup
|
|
if: always()
|
|
run: rm -rf /var/lib/aitbc-workspaces/security-scan
|