misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/.github/workflows/security.yml
Gulshan Yadav 1606776394 feat: Phase 7 critical tasks - security, formal verification, WASM crypto 
## Formal Verification
- Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla)
- Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla)
- Add mathematical proof of DAA convergence (formal/proofs/)
- Document Kani verification approach (formal/kani/)

## Bug Bounty Program
- Add SECURITY.md with vulnerability disclosure process
- Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers
- Define scope, rules, and response SLA

## Web Wallet Dilithium3 WASM Integration
- Build WASM module via Docker (498KB optimized)
- Add wasm-crypto.ts lazy loader for Dilithium3
- Add createHybridSignatureLocal() for full client-side signing
- Add createHybridSignatureSmart() for auto-mode selection
- Add Dockerfile.wasm and build scripts

## Security Review ($0 Approach)
- Add .github/workflows/security.yml CI workflow
- Add deny.toml for cargo-deny license/security checks
- Add Dockerfile.security for audit container
- Add scripts/security-audit.sh for local audits
- Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
2026-01-10 01:40:03 +05:30

176 lines
5.1 KiB
YAML
Raw Blame History

# Security Audit CI Workflow
# Runs automated security checks on every push and PR
#
# SECURITY NOTE: This workflow does not use any untrusted inputs
# (issue titles, PR descriptions, etc.) in run commands.
name: Security Audit
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
# Run weekly on Sundays at midnight
- cron: '0 0 * * 0'
jobs:
# ============================================================================
# Vulnerability Scanning
# ============================================================================
cargo-audit:
name: Vulnerability Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run cargo-audit
run: cargo audit --deny warnings
# ============================================================================
# License & Policy Check
# ============================================================================
cargo-deny:
name: License & Security Policy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run cargo-deny
uses: EmbarkStudios/cargo-deny-action@v1
with:
command: check all
# ============================================================================
# Static Analysis
# ============================================================================
clippy:
name: Static Analysis (Clippy)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
with:
components: clippy
- name: Run Clippy
run: |
cargo clippy --all-targets --all-features -- \
-D warnings \
-D clippy::unwrap_used \
-D clippy::expect_used \
-W clippy::pedantic
# ============================================================================
# Secret Scanning
# ============================================================================
secrets-scan:
name: Secret Detection
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets with gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ============================================================================
# Dependency Freshness
# ============================================================================
outdated:
name: Check Outdated Dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
- name: Install cargo-outdated
run: cargo install cargo-outdated --locked
- name: Check outdated
run: cargo outdated --root-deps-only --exit-code 1
continue-on-error: true
# ============================================================================
# Unsafe Code Detection
# ============================================================================
geiger:
name: Unsafe Code Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
- name: Install cargo-geiger
run: cargo install cargo-geiger --locked
- name: Run cargo-geiger
run: cargo geiger --output-format Ratio
continue-on-error: true
# ============================================================================
# Property Tests
# ============================================================================
property-tests:
name: Property-Based Testing
runs-on: ubuntu-latest
env:
PROPTEST_CASES: "500"
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
- name: Run property tests
run: cargo test --release proptest -- --test-threads=1
# ============================================================================
# WASM Security
# ============================================================================
wasm-audit:
name: WASM Module Security
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-action@stable
with:
targets: wasm32-unknown-unknown
- name: Install wasm-pack
run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
- name: Build WASM
working-directory: crates/synor-crypto-wasm
run: wasm-pack build --target bundler --release
- name: Check WASM size
run: |
WASM_FILE="crates/synor-crypto-wasm/pkg/synor_crypto_bg.wasm"
if [ -f "$WASM_FILE" ]; then
WASM_SIZE=$(wc -c < "$WASM_FILE")
echo "WASM size: $WASM_SIZE bytes"
# Fail if over 1MB
if [ "$WASM_SIZE" -gt 1048576 ]; then
echo "::error::WASM module too large"
exit 1
fi
fi
Reference in a new issue View git blame Copy permalink