forked from MettaChain/PropChain-contract
-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (109 loc) · 3.11 KB
/
Copy pathsecurity.yml
File metadata and controls
131 lines (109 loc) · 3.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Security Pipeline
on:
schedule:
- cron: '0 2 * * *'
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
automated-security-pipeline:
name: Automated Security Pipeline
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
components: clippy, rustfmt
- name: Install PyPI & Slither
run: |
python -m pip install --upgrade pip
pip install slither-analyzer
continue-on-error: true
- name: Install cargo-audit & cargo-deny & cargo-contract
run: |
cargo install cargo-audit
cargo install cargo-deny
cargo install cargo-contract --force --locked
- name: Build Security Audit Tool
run: |
cargo build --release -p security-audit
cp target/release/security-audit ./security-audit-tool
- name: Run cargo-deny check
continue-on-error: true
run: cargo deny check --config deny.toml
- name: Slither Analysis
run: slither . || true
continue-on-error: true
- name: Formal Verification (cargo-contract verify)
run: cargo contract build --manifest-path contracts/lib/Cargo.toml || true
continue-on-error: true
- name: Proptest Fuzzing
run: cargo test --workspace --features fuzzing || true
continue-on-error: true
- name: Run Security Audit Pipeline
run: |
./security-audit-tool audit --report security-report.json
- name: Display Security Report
run: |
cat security-report.json
- name: Upload Security Report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.json
formal-verification:
name: Formal Verification (Kani)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install Kani
run: |
cargo install --locked kani-verifier
cargo kani setup
- name: Run Kani Verification
run: |
cd contracts/lib
cargo kani
regression-testing:
name: Regression Testing
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Run Tests
run: cargo test --workspace || true
dependency-check:
name: Dependency & Container Scan
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'