oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 19 Packages Projects Releases Wiki Activity
Files
e4f1a96172bf515ea62e5115506129d63a52b230
aitbc/.gitea/workflows/security-scanning.yml
aitbc e4f1a96172
Some checks failed
Blockchain Synchronization Verification / sync-verification (push) Failing after 8s
Details
CLI Tests / test-cli (push) Successful in 10s
Details
Contract Performance Benchmarks / benchmark-gas-usage (push) Successful in 1m22s
Details
Contract Performance Benchmarks / benchmark-execution-time (push) Successful in 1m11s
Details
Contract Performance Benchmarks / benchmark-throughput (push) Successful in 1m13s
Details
Cross-Chain Functionality Tests / test-cross-chain-sync (push) Failing after 5s
Details
Cross-Chain Functionality Tests / test-cross-chain-transactions (push) Successful in 5s
Details
Cross-Chain Functionality Tests / test-cross-chain-bridge (push) Has been skipped
Details
Cross-Chain Functionality Tests / test-multi-chain-consensus (push) Failing after 3s
Details
Cross-Chain Functionality Tests / aggregate-results (push) Has been skipped
Details
Cross-Node Transaction Testing / transaction-test (push) Successful in 5s
Details
Deploy to Testnet / deploy-testnet (push) Successful in 1m14s
Details
Contract Performance Benchmarks / compare-benchmarks (push) Has been cancelled
Details
Documentation Validation / validate-docs (push) Failing after 10s
Details
Multi-Node Stress Testing / stress-test (push) Has been cancelled
Details
Node Failover Simulation / failover-test (push) Has been cancelled
Details
Security Scanning / security-scan (push) Has been cancelled
Details
Smart Contract Tests / test-solidity (map[name:aitbc-contracts path:contracts]) (push) Has been cancelled
Details
Smart Contract Tests / test-solidity (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Has been cancelled
Details
Smart Contract Tests / test-foundry (push) Has been cancelled
Details
Smart Contract Tests / lint-solidity (push) Has been cancelled
Details
Smart Contract Tests / deploy-contracts (push) Has been cancelled
Details
Documentation Validation / validate-policies-strict (push) Successful in 3s
Details
Integration Tests / test-service-integration (push) Failing after 45s
Details
Multi-Chain Island Architecture Tests / test-multi-chain-island (push) Failing after 2s
Details
Multi-Node Blockchain Health Monitoring / health-check (push) Successful in 5s
Details
P2P Network Verification / p2p-verification (push) Successful in 3s
Details
Production Tests / Production Integration Tests (push) Failing after 7s
Details
Python Tests / test-python (push) Failing after 46s
Details
Staking Tests / test-staking-service (push) Failing after 2s
Details
Staking Tests / test-staking-integration (push) Has been skipped
Details
Staking Tests / test-staking-contract (push) Has been skipped
Details
Staking Tests / run-staking-test-runner (push) Has been skipped
Details
Systemd Sync / sync-systemd (push) Successful in 21s
Details
API Endpoint Tests / test-api-endpoints (push) Failing after 12m19s
Details
ci: standardize pytest invocation and add security scanning 
- Changed pytest calls to use `venv/bin/python -m pytest` with explicit config
- Added `--rootdir "$PWD"` and `--import-mode=importlib` for consistent imports
- Fixed PYTHONPATH to use absolute paths with $PWD prefix
- Added smart contract security scanning for Solidity files
- Added Circom circuit security checks for ZK proof circuits
- Added ZK proof implementation security validation
- Added contracts/** to security scanning workflow
2026-05-11 13:46:42 +02:00

280 lines
11 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: Security Scanning
on:
push:
branches: [main, develop]
paths:
- 'apps/**'
- 'packages/**'
- 'cli/**'
- 'contracts/**'
- '.gitea/workflows/security-scanning.yml'
pull_request:
branches: [main, develop]
workflow_dispatch:
concurrency:
group: security-scanning-${{ github.ref }}
cancel-in-progress: true
jobs:
security-scan:
runs-on: debian
timeout-minutes: 15
steps:
- name: Clone repository
run: |
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
rm -rf "$WORKSPACE"
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone --depth 2 http://gitea.bubuit.net:3000/oib/aitbc.git repo
cd repo
git fetch --depth 2 origin "${{ github.ref }}"
git checkout --detach FETCH_HEAD
- name: Initialize job logging
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
bash scripts/ci/setup-job-logging.sh
- name: Setup tools
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
# Ensure standard directories exist
mkdir -p /var/lib/aitbc/data /var/lib/aitbc/keystore /etc/aitbc /var/log/aitbc
# Remove any existing venv to avoid cache corruption issues
rm -rf venv
bash scripts/ci/setup-python-venv.sh \
--repo-dir "$PWD" \
--venv-dir "$PWD/venv" \
--skip-requirements \
--extra-packages "bandit pip-audit"
echo "✅ Security tools installed"
- name: Python dependency audit
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Dependency Audit ==="
venv/bin/pip-audit -r requirements.txt --desc
echo "✅ Dependency audit completed"
- name: Bandit security scan
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Bandit Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
venv/bin/bandit -r apps/ packages/py/ cli/ \
-s B101,B311 \
--severity-level medium \
-f txt -q
else
mapfile -t python_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/py/.*)\.py$' || true)
if [[ ${#python_files[@]} -eq 0 ]]; then
echo "✅ No changed Python files to scan"
exit 0
fi
printf '%s\n' "${python_files[@]}"
venv/bin/bandit \
-s B101,B311 \
--severity-level medium \
-f txt -q \
"${python_files[@]}"
fi
echo "✅ Bandit scan completed"
- name: Check for secrets
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Secret Detection ==="
# Simple pattern check for leaked secrets
secret_matches=$(mktemp)
password_matches=$(mktemp)
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
else
mapfile -t changed_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^((apps|cli)/.*|packages/.*)$' || true)
if [[ ${#changed_files[@]} -eq 0 ]]; then
echo "✅ No changed files to scan for secrets"
rm -f "$secret_matches" "$password_matches"
exit 0
fi
grep -InE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
grep -InE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" "${changed_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
fi
if [[ -s "$secret_matches" ]]; then
echo "❌ Possible secrets found"
cat "$secret_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
if [[ -s "$password_matches" ]]; then
echo "❌ Possible hardcoded passwords"
head -5 "$password_matches"
rm -f "$secret_matches" "$password_matches"
exit 1
fi
rm -f "$secret_matches" "$password_matches"
echo "✅ No hardcoded secrets detected"
- name: Smart contract security scan
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Smart Contract Security Scan ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t contract_files < <(find contracts/contracts -name "*.sol" 2>/dev/null || true)
else
mapfile -t contract_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^contracts/.*\.sol$' || true)
fi
if [[ ${#contract_files[@]} -eq 0 ]]; then
echo "✅ No changed Solidity files to scan"
exit 0
fi
printf '%s\n' "${contract_files[@]}"
# Check for common smart contract vulnerabilities using grep patterns
vuln_found=false
# Check for tx.origin authentication (vulnerable to phishing)
if grep -rn "tx\.origin" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock"; then
echo "❌ VULNERABILITY: tx.origin usage detected (vulnerable to phishing attacks)"
vuln_found=true
fi
# Check for low-level calls without proper checks
if grep -rn "\.call\|\.delegatecall\|\.send" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock\|reentrancy"; then
echo "⚠️ WARNING: Low-level calls detected (ensure reentrancy guards are in place)"
fi
# Check for unchecked return values
if grep -rn "\.transfer\|\.send" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock" | grep -v "require\|if"; then
echo "⚠️ WARNING: Possible unchecked return values on transfer/send"
fi
# Check for missing onlyOwner on sensitive functions
if grep -rn "function.*mint\|function.*burn\|function.*pause" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock" | grep -v "onlyOwner\|onlyRole"; then
echo "⚠️ WARNING: Sensitive functions without access control detected"
fi
# Check for floating pragma (should lock to specific version)
if grep -rn "pragma solidity \^" "${contract_files[@]}" 2>/dev/null | grep -v "example\|test\|mock"; then
echo "⚠️ WARNING: Floating pragma detected (consider locking to specific version)"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ Smart contract vulnerabilities found"
exit 1
fi
echo "✅ Smart contract security scan completed"
- name: Circom circuit security check
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Circom Circuit Security Check ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t circuit_files < <(find apps/zk-circuits -name "*.circom" 2>/dev/null || true)
else
mapfile -t circuit_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/zk-circuits/.*\.circom$' || true)
fi
if [[ ${#circuit_files[@]} -eq 0 ]]; then
echo "✅ No changed Circom files to scan"
exit 0
fi
printf '%s\n' "${circuit_files[@]}"
vuln_found=false
# Check for incorrect constraint patterns
if grep -rn "learning_rate.*1.*-.*learning_rate.*===.*learning_rate" "${circuit_files[@]}" 2>/dev/null; then
echo "❌ VULNERABILITY: Incorrect learning rate constraint detected"
vuln_found=true
fi
# Check for placeholder/mock implementations
if grep -rn "mock\|placeholder\|TODO.*implement" "${circuit_files[@]}" 2>/dev/null | grep -i "constraint\|signal"; then
echo "⚠️ WARNING: Placeholder implementations detected in circuits"
fi
# Check for missing input validation
if grep -rn "signal input" "${circuit_files[@]}" 2>/dev/null; then
echo " INFO: Review input validation for all signal inputs"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ Circom circuit vulnerabilities found"
exit 1
fi
echo "✅ Circom circuit security check completed"
- name: ZK proof implementation security check
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== ZK Proof Implementation Security Check ==="
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
mapfile -t zk_files < <(find apps/coordinator-api/src/app/services -name "*zk*.py" 2>/dev/null || true)
mapfile -t zk_routers < <(find apps/coordinator-api/src/app/routers -name "*zk*.py" 2>/dev/null || true)
else
mapfile -t zk_files < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/coordinator-api/src/app/services/.*zk.*\.py$' || true)
mapfile -t zk_routers < <(git diff --name-only --diff-filter=ACMR HEAD^ HEAD | grep -E '^apps/coordinator-api/src/app/routers/.*zk.*\.py$' || true)
fi
if [[ ${#zk_files[@]} -eq 0 && ${#zk_routers[@]} -eq 0 ]]; then
echo "✅ No changed ZK-related files to scan"
exit 0
fi
all_zk_files=("${zk_files[@]}" "${zk_routers[@]}")
printf '%s\n' "${all_zk_files[@]}"
vuln_found=false
# Check for mock verification implementations
if grep -rn "mock.*verification\|return.*verified.*True\|TODO.*actual verification" "${all_zk_files[@]}" 2>/dev/null | grep -v "example\|test"; then
echo "❌ VULNERABILITY: Mock ZK proof verification detected"
vuln_found=true
fi
# Check for weak validation (length checks only)
if grep -rn "len(.*proof).*>" "${all_zk_files[@]}" 2>/dev/null | grep -v "example\|test"; then
echo "⚠️ WARNING: Weak proof validation (length checks only)"
fi
# Check for missing input validation
if grep -rn "def.*generate.*proof" "${all_zk_files[@]}" 2>/dev/null; then
echo " INFO: Ensure all proof generation functions validate inputs"
fi
if [[ "$vuln_found" == "true" ]]; then
echo "❌ ZK proof implementation vulnerabilities found"
exit 1
fi
echo "✅ ZK proof implementation security check completed"
- name: Cleanup
if: always()
run: rm -rf /var/lib/aitbc-workspaces/security-scan
Reference in New Issue View Git Blame Copy Permalink