pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-04-22 21:47:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
93767711d9bbdd31f236e7f4d25a458a2f60b59c
pwap/.github/workflows/security-check.yml
T
Workflow config file is invalid. Please check your config file: model.ReadWorkflow: yaml: control characters are not allowed
pezkuwichain 93767711d9 feat: Add comprehensive GitHub security integration 
Security Infrastructure:
- Add .gitattributes for merge conflict protection and sensitive file handling
- Add SECURITY.md with detailed security policies and procedures
- Add pre-commit hook template for local secret detection
- Add GitHub Actions workflow for automated security scanning
- Add comprehensive documentation for git hooks

Code Security Improvements:
- Fix AuthContext.tsx: Remove hardcoded credentials, use environment variables
- Migrate WalletContext.tsx: Replace Ethereum/MetaMask with Polkadot.js
- Refactor lib/wallet.ts: Complete Substrate configuration with asset management
- Update TokenSwap.tsx: Add real API integration for balance queries
- Update StakingDashboard.tsx: Add blockchain integration placeholders

Environment Management:
- Update .env with proper security warnings
- Update .env.example with comprehensive template
- All sensitive data now uses environment variables
- Demo mode controllable via VITE_ENABLE_DEMO_MODE flag

Security Measures Implemented:
 4-layer protection (gitignore + gitattributes + pre-commit + CI/CD)
 Automated secret scanning (TruffleHog + Gitleaks)
 Pre-commit hooks prevent accidental commits
 CI/CD pipeline validates all PRs
 Environment variable validation
 Dependency security auditing

Breaking Changes:
- WalletContext now uses Polkadot.js instead of MetaMask
- lib/wallet.ts completely rewritten for Substrate
- ASSET_IDs and CHAIN_CONFIG exported from lib/wallet.ts
- Demo mode must be explicitly enabled

Migration Notes:
- Install pre-commit hook: cp .git-hooks/pre-commit.example .git/hooks/pre-commit
- Copy environment: cp .env.example .env
- Update .env with your credentials
- Enable GitHub Actions in repository settings

Co-authored-by: Claude <noreply@anthropic.com>
2025-10-28 21:48:48 +03:00

252 lines
7.6 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Security Check
# ========================================
# Automated Security Scanning
# ========================================
# This workflow runs on every PR and push to main
# to detect potential security issues
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
# Allow manual trigger
workflow_dispatch:
jobs:
# ========================================
# SECRET SCANNING
# ========================================
secret-scan:
name: Scan for Secrets
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better scanning
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified
- name: Gitleaks Secret Scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
# ========================================
# FILE VALIDATION
# ========================================
file-validation:
name: Validate Files
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check for .env files
run: |
echo "Checking for .env files..."
if git ls-files | grep -E "^\.env$"; then
echo "L ERROR: .env file found in repository!"
exit 1
fi
echo " No .env files found"
- name: Check for sensitive files
run: |
echo "Checking for sensitive files..."
sensitive_patterns=(
"*.key"
"*.pem"
"*.cert"
"*.p12"
"*.pfx"
"*secret*"
"*credential*"
)
found_sensitive=false
for pattern in "${sensitive_patterns[@]}"; do
if git ls-files | grep -i "$pattern"; then
echo "  WARNING: Potential sensitive file found: $pattern"
found_sensitive=true
fi
done
if [ "$found_sensitive" = true ]; then
echo "Please review files above and ensure they're not sensitive"
exit 1
fi
echo " No sensitive files found"
- name: Verify .gitignore
run: |
echo "Verifying .gitignore contains .env..."
if ! grep -q "^\.env$" .gitignore; then
echo "L ERROR: .env not found in .gitignore!"
exit 1
fi
echo " .gitignore is properly configured"
# ========================================
# CODE QUALITY & SECURITY
# ========================================
code-security:
name: Code Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run ESLint Security Plugin
run: |
npm install --save-dev eslint-plugin-security
# Run eslint with security rules (if configured)
# npm run lint:security || true
continue-on-error: true
- name: Check for hardcoded secrets in code
run: |
echo "Scanning TypeScript files for potential secrets..."
# Check for potential hardcoded passwords
if grep -r -i "password.*=.*['\"][^'\"]\{8,\}['\"]" src/ --include="*.ts" --include="*.tsx"; then
echo "  WARNING: Potential hardcoded password found"
echo "Please use environment variables instead"
fi
# Check for API keys
if grep -r -E "api[_-]?key.*=.*['\"][^'\"]{20,}['\"]" src/ --include="*.ts" --include="*.tsx"; then
echo "  WARNING: Potential hardcoded API key found"
echo "Please use environment variables instead"
fi
echo " Code scan completed"
# ========================================
# DEPENDENCY SECURITY
# ========================================
dependency-security:
name: Dependency Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Run npm audit
run: |
npm audit --audit-level=moderate
continue-on-error: true
- name: Check for known vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# ========================================
# ENVIRONMENT VALIDATION
# ========================================
env-validation:
name: Environment Configuration Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Verify .env.example exists
run: |
if [ ! -f .env.example ]; then
echo "L ERROR: .env.example not found!"
echo "Please create .env.example with safe default values"
exit 1
fi
echo " .env.example exists"
- name: Check .env.example for secrets
run: |
echo "Checking .env.example for actual secrets..."
# .env.example should NOT contain real secrets
if grep -E "(password|key|secret|token)=.{20,}" .env.example; then
echo "  WARNING: .env.example may contain real credentials!"
echo "Example files should only have placeholder values"
exit 1
fi
echo " .env.example contains no real secrets"
- name: Validate environment variable usage
run: |
echo "Checking that environment variables are used correctly..."
# Check AuthContext for proper env var usage
if [ -f "src/contexts/AuthContext.tsx" ]; then
if grep -q "import.meta.env" src/contexts/AuthContext.tsx; then
echo " AuthContext uses environment variables"
else
echo "  WARNING: AuthContext may not be using environment variables"
fi
fi
# ========================================
# SUMMARY
# ========================================
security-summary:
name: Security Check Summary
needs: [secret-scan, file-validation, code-security, dependency-security, env-validation]
runs-on: ubuntu-latest
if: always()
steps:
- name: Security Summary
run: |
echo "======================================"
echo "Security Check Summary"
echo "======================================"
echo ""
echo "Secret Scan: ${{ needs.secret-scan.result }}"
echo "File Validation: ${{ needs.file-validation.result }}"
echo "Code Security: ${{ needs.code-security.result }}"
echo "Dependency Security: ${{ needs.dependency-security.result }}"
echo "Environment Validation: ${{ needs.env-validation.result }}"
echo ""
if [ "${{ needs.secret-scan.result }}" == "failure" ] || \
[ "${{ needs.file-validation.result }}" == "failure" ]; then
echo "L CRITICAL: Security issues detected!"
exit 1
fi
echo " All critical security checks passed"
Reference in New Issue View Git Blame Copy Permalink