pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-04-22 05:37:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add comprehensive GitHub security integration

Browse Source 
Security Infrastructure:
- Add .gitattributes for merge conflict protection and sensitive file handling
- Add SECURITY.md with detailed security policies and procedures
- Add pre-commit hook template for local secret detection
- Add GitHub Actions workflow for automated security scanning
- Add comprehensive documentation for git hooks

Code Security Improvements:
- Fix AuthContext.tsx: Remove hardcoded credentials, use environment variables
- Migrate WalletContext.tsx: Replace Ethereum/MetaMask with Polkadot.js
- Refactor lib/wallet.ts: Complete Substrate configuration with asset management
- Update TokenSwap.tsx: Add real API integration for balance queries
- Update StakingDashboard.tsx: Add blockchain integration placeholders

Environment Management:
- Update .env with proper security warnings
- Update .env.example with comprehensive template
- All sensitive data now uses environment variables
- Demo mode controllable via VITE_ENABLE_DEMO_MODE flag

Security Measures Implemented:
 4-layer protection (gitignore + gitattributes + pre-commit + CI/CD)
 Automated secret scanning (TruffleHog + Gitleaks)
 Pre-commit hooks prevent accidental commits
 CI/CD pipeline validates all PRs
 Environment variable validation
 Dependency security auditing

Breaking Changes:
- WalletContext now uses Polkadot.js instead of MetaMask
- lib/wallet.ts completely rewritten for Substrate
- ASSET_IDs and CHAIN_CONFIG exported from lib/wallet.ts
- Demo mode must be explicitly enabled

Migration Notes:
- Install pre-commit hook: cp .git-hooks/pre-commit.example .git/hooks/pre-commit
- Copy environment: cp .env.example .env
- Update .env with your credentials
- Enable GitHub Actions in repository settings

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Kurdistan Tech Ministry
2025-10-28 21:48:48 +03:00
parent e5a15e29b9
commit 159700eade
13 changed files with 1652 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.git-hooks/README.md
+251
View File
@@ -0,0 +1,251 @@
# Git Hooks - PezkuwiChain
## =Ë Overview
This directory contains Git hook templates that help prevent security issues and maintain code quality.
---
## =' Installation
### Quick Install (Recommended)
Run this command from the project root:
```bash
cp .git-hooks/pre-commit.example .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
```
### Verify Installation
```bash
# Check if hook is installed
ls -la .git/hooks/pre-commit
# Test the hook
git add .
git commit -m "test" --dry-run
```
---
## =Ú Available Hooks
### pre-commit
**Purpose:** Prevents committing sensitive data and enforces code quality
**Checks:**
- L Blocks `.env` files from being committed
- L Blocks files with sensitive patterns (passwords, API keys, etc.)
- L Blocks secret files (.key, .pem, .cert, etc.)
-   Warns about large files (>500KB)
-   Warns about debug code (console.log, debugger)
-   Warns about hardcoded credentials
**Example output:**
```
=
Running pre-commit security checks...
Checking for .env files...
Scanning for sensitive patterns...
Checking for secret files...
Checking for large files...
Checking for debug code...
 All security checks passed!
```
---
## =à Configuration
### Bypass Hook (Not Recommended)
If you absolutely need to bypass the hook:
```bash
git commit --no-verify -m "message"
```
  **WARNING:** Only bypass if you're sure there are no secrets!
### Customize Checks
Edit `.git-hooks/pre-commit.example` and adjust:
- `PATTERNS` - Secret detection patterns
- `SECRET_FILES` - File patterns to block
- `MAX_FILE_SIZE` - Maximum file size in KB
- `DEBUG_PATTERNS` - Debug code patterns
---
## >ê Testing
### Test with Sample Commits
```bash
# Test 1: Try to commit .env (should fail)
echo "SECRET=test" > .env
git add .env
git commit -m "test"
# Expected: L ERROR: Attempting to commit .env file!
# Test 2: Try to commit hardcoded password (should fail)
echo 'const password = "mysecret123"' >> test.ts
git add test.ts
git commit -m "test"
# Expected: L ERROR: Potential secrets detected!
# Test 3: Normal commit (should pass)
echo 'const x = 1' >> test.ts
git add test.ts
git commit -m "test"
# Expected:  All security checks passed!
```
---
## =
What Each Check Does
### 1. `.env` File Check
```bash
# Blocks any .env file
.env
.env.local
.env.production
.env.staging
```
### 2. Sensitive Pattern Detection
Searches for patterns like:
- `password = "..."`
- `api_key = "..."`
- `secret = "..."`
- `token = "..."`
- Private key headers
- AWS access keys
### 3. Secret File Detection
Blocks files matching:
- `*.key`, `*.pem`, `*.cert`
- `*.p12`, `*.pfx`
- `*secret*`, `*credential*`
- `.npmrc`, `.dockercfg`
### 4. Large File Warning
Warns if file is larger than 500KB:
```
  WARNING: Large file detected: image.png (1024KB)
Consider using Git LFS for large files
```
### 5. Debug Code Detection
Warns about:
- `console.log()`
- `debugger`
- `TODO security`
- `FIXME security`
### 6. Hardcoded Credentials Check
Special check for `AuthContext.tsx`:
```typescript
// L BAD - Will be blocked
const password = "mysecret123"
//  GOOD - Will pass
const password = import.meta.env.VITE_PASSWORD
```
---
## =¨ Troubleshooting
### Hook Not Running
```bash
# Check if hook exists
ls -la .git/hooks/pre-commit
# Check if executable
chmod +x .git/hooks/pre-commit
# Verify hook content
cat .git/hooks/pre-commit
```
### False Positives
If the hook incorrectly flags a file:
1. Review the pattern that triggered
2. Confirm the file is safe
3. Use `--no-verify` to bypass (with caution)
4. Update the pattern in `.git-hooks/pre-commit.example`
### Hook Errors
```bash
# If hook fails to run
bash -x .git/hooks/pre-commit
# Check for syntax errors
bash -n .git/hooks/pre-commit
```
---
## =Ê Integration with CI/CD
The pre-commit hook works alongside:
### GitHub Actions
- `.github/workflows/security-check.yml` - Automated security scanning
- Runs on every PR and push to main
- Catches issues missed locally
### Pre-push Hook (Optional)
You can also add a pre-push hook:
```bash
# .git-hooks/pre-push.example
#!/bin/bash
npm test
npm run lint
```
---
## = Best Practices
1. **Install hooks immediately** after cloning the repo
2. **Never use `--no-verify`** unless absolutely necessary
3. **Keep hooks updated** - run `git pull` regularly
4. **Test hooks** before committing important changes
5. **Report false positives** to improve the hook
---
## =Ú Additional Resources
### Git Hooks Documentation
- [Git Hooks Official Docs](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks)
- [Pre-commit Framework](https://pre-commit.com/)
### Security Tools
- [git-secrets](https://github.com/awslabs/git-secrets)
- [gitleaks](https://github.com/zricethezav/gitleaks)
- [TruffleHog](https://github.com/trufflesecurity/trufflehog)
---
## <˜ Support
If you encounter issues:
1. Check this README
2. Review `SECURITY.md` in project root
3. Contact: security@pezkuwichain.io
---
.git-hooks/pre-commit.example
Executable
+177
View File
@@ -0,0 +1,177 @@
#!/bin/bash
# ========================================
# Pre-commit Hook for PezkuwiChain
# ========================================
# This hook prevents committing sensitive data
#
# INSTALLATION:
# cp .git-hooks/pre-commit.example .git/hooks/pre-commit
# chmod +x .git/hooks/pre-commit
set -e
# Colors for output
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
echo "=
Running pre-commit security checks..."
# ========================================
# 1. CHECK FOR .ENV FILES
# ========================================
echo "Checking for .env files..."
if git diff --cached --name-only | grep -E "^\.env$"; then
echo -e "${RED}L ERROR: Attempting to commit .env file!${NC}"
echo -e "${YELLOW}The .env file contains sensitive data and should never be committed.${NC}"
echo ""
echo "To fix this:"
echo " git reset HEAD .env"
echo " git add .env.example # Commit the example file instead"
exit 1
fi
if git diff --cached --name-only | grep -E "^\.env\.(local|production|staging)$"; then
echo -e "${RED}L ERROR: Attempting to commit environment-specific .env file!${NC}"
exit 1
fi
# ========================================
# 2. CHECK FOR SENSITIVE PATTERNS
# ========================================
echo "Scanning for sensitive patterns..."
# Patterns to search for
PATTERNS=(
"password\s*=\s*['\"][^'\"]*['\"]"
"api[_-]?key\s*=\s*['\"][^'\"]*['\"]"
"secret\s*=\s*['\"][^'\"]*['\"]"
"token\s*=\s*['\"][^'\"]*['\"]"
"private[_-]?key"
"BEGIN RSA PRIVATE KEY"
"BEGIN PRIVATE KEY"
"aws_secret_access_key"
"AKIA[0-9A-Z]{16}"
)
FOUND_SECRETS=false
for pattern in "${PATTERNS[@]}"; do
if git diff --cached | grep -iE "$pattern" > /dev/null; then
if [ "$FOUND_SECRETS" = false ]; then
echo -e "${RED}L ERROR: Potential secrets detected in staged files!${NC}"
FOUND_SECRETS=true
fi
echo -e "${YELLOW}Found pattern: $pattern${NC}"
fi
done
if [ "$FOUND_SECRETS" = true ]; then
echo ""
echo -e "${YELLOW}Detected patterns that might contain secrets.${NC}"
echo "Please review your changes and ensure no sensitive data is being committed."
echo ""
echo "To bypass this check (NOT RECOMMENDED):"
echo " git commit --no-verify"
exit 1
fi
# ========================================
# 3. CHECK FOR COMMON SECRET FILES
# ========================================
echo "Checking for secret files..."
SECRET_FILES=(
"*.key"
"*.pem"
"*.cert"
"*.p12"
"*.pfx"
"*secret*"
"*credential*"
".npmrc"
".dockercfg"
".docker/config.json"
)
for file_pattern in "${SECRET_FILES[@]}"; do
if git diff --cached --name-only | grep -i "$file_pattern" > /dev/null; then
echo -e "${RED}L ERROR: Attempting to commit secret file matching: $file_pattern${NC}"
echo "These files should be added to .gitignore"
exit 1
fi
done
# ========================================
# 4. CHECK FOR LARGE FILES
# ========================================
echo "Checking for large files..."
# Maximum file size in KB
MAX_FILE_SIZE=500
while IFS= read -r file; do
if [ -f "$file" ]; then
file_size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null)
file_size_kb=$((file_size / 1024))
if [ "$file_size_kb" -gt "$MAX_FILE_SIZE" ]; then
echo -e "${YELLOW}  WARNING: Large file detected: $file (${file_size_kb}KB)${NC}"
echo "Consider using Git LFS for large files"
fi
fi
done < <(git diff --cached --name-only)
# ========================================
# 5. CHECK FOR DEBUG CODE
# ========================================
echo "Checking for debug code..."
DEBUG_PATTERNS=(
"console\.log"
"debugger"
"TODO.*security"
"FIXME.*security"
"XXX.*security"
)
for pattern in "${DEBUG_PATTERNS[@]}"; do
if git diff --cached | grep -E "$pattern" > /dev/null; then
echo -e "${YELLOW}  WARNING: Found debug code: $pattern${NC}"
echo "Consider removing debug code before committing"
fi
done
# ========================================
# 6. VERIFY ENVIRONMENT VARIABLES USAGE
# ========================================
echo "Checking environment variable usage..."
# Check for direct credential usage instead of env vars
if git diff --cached | grep -E "(password|api[_-]?key|secret).*['\"][^'\"]{20,}['\"]" > /dev/null; then
echo -e "${YELLOW}  WARNING: Potential hardcoded credentials detected${NC}"
echo "Please use environment variables instead:"
echo " import.meta.env.VITE_API_KEY"
fi
# ========================================
# 7. CHECK SPECIFIC FILES
# ========================================
echo "Checking specific configuration files..."
# Check if AuthContext has hardcoded credentials
if git diff --cached -- "src/contexts/AuthContext.tsx" | grep -E "password.*:" | grep -vE "import\.meta\.env" > /dev/null; then
echo -e "${RED}L ERROR: AuthContext.tsx may contain hardcoded credentials${NC}"
echo "Ensure all credentials use environment variables"
exit 1
fi
# ========================================
# SUCCESS
# ========================================
echo -e "${GREEN} All security checks passed!${NC}"
echo ""