forked from tronprotocol/wallet-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (145 loc) · 6.29 KB
/
ai-security-audit.yml
File metadata and controls
177 lines (145 loc) · 6.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: AI Security Audit
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
jobs:
ai-security-audit:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check ANTHROPIC_API_KEY
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
if [ -z "$ANTHROPIC_API_KEY" ]; then
echo "::error::ANTHROPIC_API_KEY is not configured. Please add it to your repository secrets (Settings > Secrets and variables > Actions > New repository secret). The AI security audit cannot run without this key."
exit 1
fi
- name: Get PR diff
id: diff
env:
GH_TOKEN: ${{ github.token }}
run: |
gh pr diff ${{ github.event.pull_request.number }} > pr_diff.txt
echo "diff_size=$(wc -c < pr_diff.txt | tr -d ' ')" >> "$GITHUB_OUTPUT"
- name: Check diff size
id: check
run: |
if [ "${{ steps.diff.outputs.diff_size }}" -eq 0 ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "No diff found, skipping audit."
elif [ "${{ steps.diff.outputs.diff_size }}" -gt 200000 ]; then
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "Diff too large (>200KB), skipping AI audit."
else
echo "skip=false" >> "$GITHUB_OUTPUT"
fi
- name: Install Claude Code
if: steps.check.outputs.skip != 'true'
run: npm install -g @anthropic-ai/claude-code
- name: Run AI security audit
if: steps.check.outputs.skip != 'true'
id: audit
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
PROMPT=$(cat <<'AUDIT_PROMPT'
You are a senior security engineer performing a security audit on a pull request diff.
Analyze the following code diff and provide a structured security audit report.
Focus on these areas:
1. **Critical Vulnerabilities**: SQL injection, command injection, XSS, SSRF, deserialization flaws, path traversal
2. **Authentication & Authorization**: Broken auth, missing access controls, credential exposure
3. **Cryptography Issues**: Weak algorithms, hardcoded keys/secrets, improper random number generation
4. **Data Exposure**: Sensitive data leaks, PII exposure, excessive logging of secrets
5. **Dependency Risks**: Known vulnerable patterns, unsafe deserialization
6. **Blockchain-Specific**: Private key handling, transaction signing flaws, smart contract interaction risks, address validation
7. **Input Validation**: Missing or insufficient validation, type confusion, buffer issues
8. **Configuration & Infrastructure**: Insecure defaults, debug mode in production, permissive CORS
Output format (use GitHub-flavored Markdown):
## AI Security Audit Report
### Summary
[One-paragraph overall assessment with risk level: CRITICAL / HIGH / MEDIUM / LOW / CLEAN]
### Findings
For each finding:
#### [SEVERITY] Finding Title
- **File**: `filename:line_number`
- **Category**: [category from above]
- **Description**: What the issue is
- **Impact**: What could go wrong
- **Recommendation**: How to fix it
If no security issues are found, state that the code appears clean and list what was checked.
### Statistics
- Files analyzed: X
- Issues found: X (critical: X, high: X, medium: X, low: X)
---
*This report was generated by AI security audit. Please verify findings manually.*
Here is the diff to audit:
AUDIT_PROMPT
)
DIFF_CONTENT=$(cat pr_diff.txt)
FULL_PROMPT="${PROMPT}
\`\`\`diff
${DIFF_CONTENT}
\`\`\`"
# Run claude and capture output
AUDIT_RESULT=$(echo "$FULL_PROMPT" | claude -p --output-format text 2>&1) || true
# Save result to file (avoid shell escaping issues)
echo "$AUDIT_RESULT" > audit_result.md
- name: Post audit comment
if: steps.check.outputs.skip != 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
# Build comment body
{
echo "<!-- ai-security-audit -->"
echo ""
cat audit_result.md
} > comment_body.md
PR_NUMBER=${{ github.event.pull_request.number }}
# Delete previous audit comment if exists
EXISTING_COMMENT_ID=$(gh api \
"repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
--jq '.[] | select(.body | contains("<!-- ai-security-audit -->")) | .id' \
| head -1)
if [ -n "$EXISTING_COMMENT_ID" ]; then
gh api \
--method DELETE \
"repos/${{ github.repository }}/issues/comments/${EXISTING_COMMENT_ID}" \
|| true
fi
# Post new comment
gh pr comment "$PR_NUMBER" --body-file comment_body.md
- name: Post skip comment
if: steps.check.outputs.skip == 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
PR_NUMBER=${{ github.event.pull_request.number }}
REASON="No diff found"
if [ "${{ steps.diff.outputs.diff_size }}" -gt 200000 ]; then
REASON="Diff too large (>200KB) for AI audit"
fi
BODY="<!-- ai-security-audit -->
## AI Security Audit Report
**Skipped**: ${REASON}.
Please perform a manual security review."
# Delete previous audit comment if exists
EXISTING_COMMENT_ID=$(gh api \
"repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
--jq '.[] | select(.body | contains("<!-- ai-security-audit -->")) | .id' \
| head -1)
if [ -n "$EXISTING_COMMENT_ID" ]; then
gh api \
--method DELETE \
"repos/${{ github.repository }}/issues/comments/${EXISTING_COMMENT_ID}" \
|| true
fi
gh pr comment "$PR_NUMBER" --body "$BODY"