247 lines
7.5 KiB
YAML
247 lines
7.5 KiB
YAML
name: Security Testing
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
schedule:
|
|
# Run security scan daily at 2 AM UTC
|
|
- cron: '0 2 * * *'
|
|
|
|
env:
|
|
GO_VERSION: '1.24'
|
|
|
|
jobs:
|
|
static-analysis:
|
|
name: Static Security Analysis
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- name: Download dependencies
|
|
run: go mod download
|
|
|
|
- name: Run gosec Security Scanner
|
|
uses: securecodewarrior/github-action-gosec@master
|
|
with:
|
|
args: '-fmt sarif -out gosec-results.sarif ./...'
|
|
continue-on-error: true
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
if: always()
|
|
with:
|
|
sarif_file: gosec-results.sarif
|
|
|
|
- name: Run govulncheck
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck ./...
|
|
|
|
- name: Run golangci-lint with security focus
|
|
uses: golangci/golangci-lint-action@v3
|
|
with:
|
|
version: latest
|
|
args: --enable=gosec,gocritic,ineffassign,misspell,unparam --timeout=10m
|
|
|
|
dependency-scan:
|
|
name: Dependency Vulnerability Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- name: Run Nancy (Dependency Vulnerability Scanner)
|
|
run: |
|
|
go install github.com/sonatypecommunity/nancy@latest
|
|
go list -json -m all | nancy sleuth --exclude-vulnerability-file .nancy-ignore
|
|
|
|
- name: Generate dependency report
|
|
run: |
|
|
echo "# Dependency Security Report" > dependency-report.md
|
|
echo "Generated on: $(date)" >> dependency-report.md
|
|
echo "" >> dependency-report.md
|
|
echo "## Direct Dependencies" >> dependency-report.md
|
|
go list -m all | grep -v "^github.com/fraktal/mev-beta" >> dependency-report.md
|
|
|
|
- name: Upload dependency report
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: dependency-report
|
|
path: dependency-report.md
|
|
|
|
security-tests:
|
|
name: Security Tests & Fuzzing
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- name: Create required directories
|
|
run: |
|
|
mkdir -p logs keystore test_keystore benchmark_keystore test_concurrent_keystore
|
|
|
|
- name: Run security unit tests
|
|
run: go test -v -race ./pkg/security/
|
|
|
|
- name: Run fuzzing tests (short)
|
|
run: |
|
|
go test -fuzz=FuzzRPCResponseParser -fuzztime=30s ./pkg/security/
|
|
go test -fuzz=FuzzKeyValidation -fuzztime=30s ./pkg/security/
|
|
go test -fuzz=FuzzInputValidator -fuzztime=30s ./pkg/security/
|
|
|
|
- name: Run race condition tests
|
|
run: go test -race -run=TestConcurrent ./...
|
|
|
|
- name: Run security benchmarks
|
|
run: go test -bench=BenchmarkSecurity -benchmem ./pkg/security/
|
|
|
|
integration-security:
|
|
name: Integration Security Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- name: Create required directories and files
|
|
run: |
|
|
mkdir -p logs keystore
|
|
echo "MEV_BOT_ENCRYPTION_KEY=integration_test_key_32_characters" > .env.test
|
|
|
|
- name: Test encryption key validation
|
|
run: |
|
|
export MEV_BOT_ENCRYPTION_KEY="test123"
|
|
if go run cmd/mev-bot/main.go 2>&1 | grep -q "production encryption key"; then
|
|
echo "✓ Weak encryption key properly rejected"
|
|
else
|
|
echo "✗ Weak encryption key not rejected"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Test with proper encryption key
|
|
run: |
|
|
export MEV_BOT_ENCRYPTION_KEY="proper_production_key_32_chars_min"
|
|
timeout 10s go run cmd/mev-bot/main.go || true
|
|
echo "✓ Application accepts strong encryption key"
|
|
|
|
- name: Test configuration security
|
|
run: |
|
|
# Test that the application rejects configurations with security issues
|
|
echo "Testing keystore security..."
|
|
export MEV_BOT_KEYSTORE_PATH="/tmp/insecure"
|
|
if go run cmd/mev-bot/main.go 2>&1 | grep -q "publicly accessible"; then
|
|
echo "✓ Insecure keystore path properly rejected"
|
|
else
|
|
echo "Warning: Insecure keystore path validation may need improvement"
|
|
fi
|
|
|
|
secret-scanning:
|
|
name: Secret Scanning
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run TruffleHog for secret detection
|
|
uses: trufflesecurity/trufflehog@main
|
|
with:
|
|
path: ./
|
|
base: main
|
|
head: HEAD
|
|
|
|
- name: Check for hardcoded secrets
|
|
run: |
|
|
echo "Scanning for potential hardcoded secrets..."
|
|
|
|
# Look for common secret patterns
|
|
if grep -r -i "password.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "PASSWORD_PLACEHOLDER"; then
|
|
echo "Warning: Found potential hardcoded passwords"
|
|
fi
|
|
|
|
if grep -r -i "secret.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "SECRET_PLACEHOLDER"; then
|
|
echo "Warning: Found potential hardcoded secrets"
|
|
fi
|
|
|
|
if grep -r -i "key.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v -E "(public|test|example|placeholder)"; then
|
|
echo "Warning: Found potential hardcoded keys"
|
|
fi
|
|
|
|
echo "Secret scan completed"
|
|
|
|
security-report:
|
|
name: Generate Security Report
|
|
needs: [static-analysis, dependency-scan, security-tests, integration-security]
|
|
runs-on: ubuntu-latest
|
|
if: always()
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Generate comprehensive security report
|
|
run: |
|
|
cat > security-report.md << 'EOF'
|
|
# MEV Bot Security Report
|
|
|
|
**Generated**: $(date)
|
|
**Branch**: ${{ github.ref }}
|
|
**Commit**: ${{ github.sha }}
|
|
|
|
## Security Test Results
|
|
|
|
- **Static Analysis**: ${{ needs.static-analysis.result }}
|
|
- **Dependency Scan**: ${{ needs.dependency-scan.result }}
|
|
- **Security Tests**: ${{ needs.security-tests.result }}
|
|
- **Integration Tests**: ${{ needs.integration-security.result }}
|
|
|
|
## Recommendations
|
|
|
|
1. **Encryption Keys**: Ensure production uses strong, unique encryption keys
|
|
2. **Dependencies**: Regularly update dependencies to patch vulnerabilities
|
|
3. **Code Review**: All security-sensitive changes require review
|
|
4. **Monitoring**: Enable runtime security monitoring in production
|
|
|
|
## Next Steps
|
|
|
|
- [ ] Address any failing security tests
|
|
- [ ] Update vulnerable dependencies
|
|
- [ ] Conduct manual security review for critical changes
|
|
- [ ] Schedule quarterly external security audit
|
|
|
|
EOF
|
|
|
|
- name: Upload security report
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: security-report
|
|
path: security-report.md
|
|
|
|
- name: Comment on PR (if applicable)
|
|
if: github.event_name == 'pull_request'
|
|
uses: actions/github-script@v6
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const report = fs.readFileSync('security-report.md', 'utf8');
|
|
|
|
github.rest.issues.createComment({
|
|
issue_number: context.issue.number,
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
body: `## 🔒 Security Test Results\n\n${report}`
|
|
}); |