Fixing dependency problem #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Analysis | |
| on: | |
| push: | |
| branches: [ "main", "develop" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC | |
| jobs: | |
| slither-solidity: | |
| name: Slither Analysis (Solidity) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Install Foundry manually | |
| run: | | |
| # Download foundry binaries directly | |
| mkdir -p $HOME/.foundry/bin | |
| curl -L https://github.com/foundry-rs/foundry/releases/download/nightly/foundry_nightly_linux_amd64.tar.gz | tar -xz -C $HOME/.foundry/bin | |
| chmod +x $HOME/.foundry/bin/* | |
| echo "$HOME/.foundry/bin" >> $GITHUB_PATH | |
| - name: Verify Foundry installation | |
| run: | | |
| export PATH="$HOME/.foundry/bin:$PATH" | |
| which forge | |
| forge --version | |
| - name: Install forge-std | |
| run: | | |
| export PATH="$HOME/.foundry/bin:$PATH" | |
| forge install foundry-rs/forge-std --no-commit || true | |
| - name: Run Slither | |
| uses: crytic/slither-action@v0.4.1 | |
| id: slither | |
| env: | |
| PATH: ${{ env.PATH }}:$HOME/.foundry/bin | |
| with: | |
| target: 'src/contracts' | |
| sarif: slither-results.sarif | |
| fail-on: none | |
| slither-args: '--exclude naming-convention,solc-version' | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: slither-results.sarif | |
| category: slither | |
| codeql-rust: | |
| name: CodeQL Analysis (Rust) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 360 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'rust' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-extended,security-and-quality | |
| - name: Setup Rust | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: stable | |
| override: true | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| combined-security-report: | |
| name: Security Report Summary | |
| runs-on: ubuntu-latest | |
| needs: [slither-solidity, codeql-rust] | |
| if: always() | |
| permissions: | |
| contents: read | |
| security-events: read | |
| steps: | |
| - name: Report Status | |
| run: | | |
| echo "## Security Analysis Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "- Slither (Solidity): ${{ needs.slither-solidity.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- CodeQL (Rust): ${{ needs.codeql-rust.result }}" >> $GITHUB_STEP_SUMMARY |