saving in place

2025-10-04 09:31:02 -05:00
parent 76c1b5cee1
commit f358f49aa9
295 changed files with 72071 additions and 17209 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -0,0 +1,247 @@
+name: Security Testing
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run security scan daily at 2 AM UTC
+    - cron: '0 2 * * *'
+
+env:
+  GO_VERSION: '1.24'
+
+jobs:
+  static-analysis:
+    name: Static Security Analysis
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Download dependencies
+      run: go mod download
+
+    - name: Run gosec Security Scanner
+      uses: securecodewarrior/github-action-gosec@master
+      with:
+        args: '-fmt sarif -out gosec-results.sarif ./...'
+      continue-on-error: true
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v2
+      if: always()
+      with:
+        sarif_file: gosec-results.sarif
+
+    - name: Run govulncheck
+      run: |
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+        govulncheck ./...
+
+    - name: Run golangci-lint with security focus
+      uses: golangci/golangci-lint-action@v3
+      with:
+        version: latest
+        args: --enable=gosec,gocritic,ineffassign,misspell,unparam --timeout=10m
+
+  dependency-scan:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Run Nancy (Dependency Vulnerability Scanner)
+      run: |
+        go install github.com/sonatypecommunity/nancy@latest
+        go list -json -m all | nancy sleuth --exclude-vulnerability-file .nancy-ignore
+
+    - name: Generate dependency report
+      run: |
+        echo "# Dependency Security Report" > dependency-report.md
+        echo "Generated on: $(date)" >> dependency-report.md
+        echo "" >> dependency-report.md
+        echo "## Direct Dependencies" >> dependency-report.md
+        go list -m all | grep -v "^github.com/fraktal/mev-beta" >> dependency-report.md
+
+    - name: Upload dependency report
+      uses: actions/upload-artifact@v3
+      with:
+        name: dependency-report
+        path: dependency-report.md
+
+  security-tests:
+    name: Security Tests & Fuzzing
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Create required directories
+      run: |
+        mkdir -p logs keystore test_keystore benchmark_keystore test_concurrent_keystore
+
+    - name: Run security unit tests
+      run: go test -v -race ./pkg/security/
+
+    - name: Run fuzzing tests (short)
+      run: |
+        go test -fuzz=FuzzRPCResponseParser -fuzztime=30s ./pkg/security/
+        go test -fuzz=FuzzKeyValidation -fuzztime=30s ./pkg/security/
+        go test -fuzz=FuzzInputValidator -fuzztime=30s ./pkg/security/
+
+    - name: Run race condition tests
+      run: go test -race -run=TestConcurrent ./...
+
+    - name: Run security benchmarks
+      run: go test -bench=BenchmarkSecurity -benchmem ./pkg/security/
+
+  integration-security:
+    name: Integration Security Tests
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+
+    - name: Create required directories and files
+      run: |
+        mkdir -p logs keystore
+        echo "MEV_BOT_ENCRYPTION_KEY=integration_test_key_32_characters" > .env.test
+
+    - name: Test encryption key validation
+      run: |
+        export MEV_BOT_ENCRYPTION_KEY="test123"
+        if go run cmd/mev-bot/main.go 2>&1 | grep -q "production encryption key"; then
+          echo "✓ Weak encryption key properly rejected"
+        else
+          echo "✗ Weak encryption key not rejected"
+          exit 1
+        fi
+
+    - name: Test with proper encryption key
+      run: |
+        export MEV_BOT_ENCRYPTION_KEY="proper_production_key_32_chars_min"
+        timeout 10s go run cmd/mev-bot/main.go || true
+        echo "✓ Application accepts strong encryption key"
+
+    - name: Test configuration security
+      run: |
+        # Test that the application rejects configurations with security issues
+        echo "Testing keystore security..."
+        export MEV_BOT_KEYSTORE_PATH="/tmp/insecure"
+        if go run cmd/mev-bot/main.go 2>&1 | grep -q "publicly accessible"; then
+          echo "✓ Insecure keystore path properly rejected"
+        else
+          echo "Warning: Insecure keystore path validation may need improvement"
+        fi
+
+  secret-scanning:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Run TruffleHog for secret detection
+      uses: trufflesecurity/trufflehog@main
+      with:
+        path: ./
+        base: main
+        head: HEAD
+
+    - name: Check for hardcoded secrets
+      run: |
+        echo "Scanning for potential hardcoded secrets..."
+
+        # Look for common secret patterns
+        if grep -r -i "password.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "PASSWORD_PLACEHOLDER"; then
+          echo "Warning: Found potential hardcoded passwords"
+        fi
+
+        if grep -r -i "secret.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "SECRET_PLACEHOLDER"; then
+          echo "Warning: Found potential hardcoded secrets"
+        fi
+
+        if grep -r -i "key.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v -E "(public|test|example|placeholder)"; then
+          echo "Warning: Found potential hardcoded keys"
+        fi
+
+        echo "Secret scan completed"
+
+  security-report:
+    name: Generate Security Report
+    needs: [static-analysis, dependency-scan, security-tests, integration-security]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Generate comprehensive security report
+      run: |
+        cat > security-report.md << 'EOF'
+        # MEV Bot Security Report
+
+        **Generated**: $(date)
+        **Branch**: ${{ github.ref }}
+        **Commit**: ${{ github.sha }}
+
+        ## Security Test Results
+
+        - **Static Analysis**: ${{ needs.static-analysis.result }}
+        - **Dependency Scan**: ${{ needs.dependency-scan.result }}
+        - **Security Tests**: ${{ needs.security-tests.result }}
+        - **Integration Tests**: ${{ needs.integration-security.result }}
+
+        ## Recommendations
+
+        1. **Encryption Keys**: Ensure production uses strong, unique encryption keys
+        2. **Dependencies**: Regularly update dependencies to patch vulnerabilities
+        3. **Code Review**: All security-sensitive changes require review
+        4. **Monitoring**: Enable runtime security monitoring in production
+
+        ## Next Steps
+
+        - [ ] Address any failing security tests
+        - [ ] Update vulnerable dependencies
+        - [ ] Conduct manual security review for critical changes
+        - [ ] Schedule quarterly external security audit
+
+        EOF
+
+    - name: Upload security report
+      uses: actions/upload-artifact@v3
+      with:
+        name: security-report
+        path: security-report.md
+
+    - name: Comment on PR (if applicable)
+      if: github.event_name == 'pull_request'
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const fs = require('fs');
+          const report = fs.readFileSync('security-report.md', 'utf8');
+
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: `## 🔒 Security Test Results\n\n${report}`
+          });