Skip to content

Security Pipeline

Security Pipeline #75

Workflow file for this run

name: Security Pipeline
on:
schedule:
- cron: '0 2 * * *'
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
automated-security-pipeline:
name: Automated Security Pipeline
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
components: clippy, rustfmt
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Build Security Audit Tool
run: |
cargo build --release -p security-audit
cp target/release/security-audit ./security-audit-tool
- name: Run Security Audit Pipeline
run: |
./security-audit-tool audit --report security-report.json
- name: Display Security Report
run: |
cat security-report.json
- name: Upload Security Report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.json
formal-verification:
name: Formal Verification (Kani)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install Kani
run: |
cargo install --locked kani-verifier
cargo kani setup
- name: Run Kani Verification
run: |
cd contracts/lib
cargo kani
regression-testing:
name: Regression Testing
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Run Tests
run: cargo test --workspace
dependency-check:
name: Dependency & Container Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'