aave · mpsc0x · Aug 14, 2025 · Aug 7, 2025 · Aug 7, 2025 · Aug 7, 2025
@@ -5,7 +5,7 @@ inputs:
   version:
     description: "Aptos CLI version to install"
     required: true
-    default: "7.2.0"
+    default: "7.7.0"
 
 runs:
   using: "composite"

@@ -38,7 +38,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
       - name: Run Aptos Create Local Testnet
         run: |
           make local-testnet &

@@ -39,12 +39,9 @@ jobs:
           sudo apt-get update -y
 
       - name: Install Aptos CLI
-        run: |
-          curl -fsSL "https://aptos.dev/scripts/install_cli.py" | python3
-          aptos --version
-          aptos update movefmt
-          echo 'Adding movefmt to PATH'
-          echo "$HOME/.aptos/bin" >> $GITHUB_PATH
+        uses: ./.github/actions/install-aptos-cli
+        with:
+          version: "7.7.0"
 
       - name: Install Node.js
         uses: actions/setup-node@v4
@@ -65,6 +62,8 @@ jobs:
 
       - name: Run Pre Commit
         uses: pre-commit/[email protected]
+        env:
+          SKIP: detect-secrets  # skip only this hook in CI; still runs locally
 
   fmt:
     name: fmt

@@ -0,0 +1,149 @@
+name: Security Scan
+
+on:
+  pull_request:
+  merge_group:
+    branches:
+      - main
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Security Scanning
+    env:
+      GITLEAKS_VERSION: "8.28.0"  # pin gitleaks version
+      GITLEAKS_CONFIG: ".gitleaks.toml"  # config picked up automatically by gitleaks
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS Secret Scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          # Scan the entire repository
+          path: ./
+          # Only show verified secrets and unknown (high confidence)
+          extra_args: --results=verified,unknown
+
+      - name: Setup Python for detect-secrets
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install detect-secrets
+        run: |
+          pip install detect-secrets
+
+      - name: Run detect-secrets scan
+        run: |
+          # Check if baseline exists
+          if [ -f .secrets.baseline ]; then
+            echo "Running detect-secrets against baseline..."
+            detect-secrets scan --baseline .secrets.baseline
+          else
+            echo "No baseline found, creating one..."
+            detect-secrets scan --baseline .secrets.baseline --force-use-all-plugins || echo "Baseline created"
+            # Fail if new secrets found (baseline should be committed)
+            if [ -s .secrets.baseline ]; then
+              echo "❌ New secrets detected! Please review and commit updated baseline."
+              exit 1
+            fi
+          fi
+
+      - name: Custom Secret Patterns Check
+        run: |
+          echo "🔍 Checking for additional secret patterns..."
+
+          # Check for AWS keys
+          if grep -r -E "AKIA[0-9A-Z]{16}" . --exclude-dir=.git --exclude-dir=node_modules || \
+             grep -r -E "[0-9a-zA-Z/+]{40}" . --exclude-dir=.git --exclude-dir=node_modules --include="*.env*"; then
+            echo "❌ AWS credentials found!"
+            exit 1
+          fi
+
+          # Check for JWT tokens in code (not test files)
+          if find . -name "*.js" -o -name "*.ts" -o -name "*.py" -o -name "*.go" -o -name "*.rs" \
+             | grep -v test | grep -v spec | xargs grep -l "eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*" 2>/dev/null; then
+            echo "❌ JWT tokens found in source code!"
+            exit 1
+          fi
+
+          # Check .env files that might be accidentally committed
+          if find . -name "*.env" -not -name "*.env.example" -not -name "*.env.sample" -not -name "*.env.template" \
+             | grep -v node_modules | head -1 | grep -q .; then
+            echo "❌ .env files found in repository!"
+            echo "These files should be in .gitignore:"
+            find . -name "*.env" -not -name "*.env.example" -not -name "*.env.sample" -not -name "*.env.template" | grep -v node_modules
+            exit 1
+          fi
+
+          echo "✅ Custom secret checks passed!"
+
+      # ---- Gitleaks CLI pinned to 8.28.0 (no SARIF) ----
+      - name: Download Gitleaks v8.28.0 (linux_x64) + verify checksum
+        run: |
+          set -euo pipefail
+          TAR="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          BASE="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}"
+
+          echo "Downloading $TAR..."
+          curl -sSL "${BASE}/${TAR}" -o gitleaks.tar.gz
+          curl -sSL "${BASE}/gitleaks_${GITLEAKS_VERSION}_checksums.txt" -o checksums.txt
+
+          EXPECTED=$(grep "$TAR" checksums.txt | awk '{print $1}')
+          ACTUAL=$(sha256sum gitleaks.tar.gz | awk '{print $1}')
+          [ "$EXPECTED" = "$ACTUAL" ] || { echo "Checksum mismatch!"; exit 1; }
+
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+      # PRs: stage only changed files and scan staged diff (blocks on new leaks)
+      - name: Run Gitleaks on staged PR changes (blocking)
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          set -euo pipefail
+          # Ensure base is present and compute changed files
+          git fetch --no-tags --prune --depth=1 origin +refs/heads/${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
+          git diff --name-only origin/${{ github.base_ref }}..HEAD > /tmp/changed_files.txt
+          if [ -s /tmp/changed_files.txt ]; then
+            xargs -a /tmp/changed_files.txt git add
+            ./gitleaks protect --staged --no-banner --redact
+            xargs -a /tmp/changed_files.txt git reset
+          else
+            echo "No changed files; skipping."
+          fi
+
+      # Non-PR runs (e.g., merge_group/push): full scan, do not fail the job
+      - name: Run Gitleaks full scan (non-blocking)
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          ./gitleaks detect \
+            --source . \
+            --no-banner \
+            --redact || true
+
+  # Optional: Add Semgrep for additional security analysis
+  semgrep:
+    runs-on: ubuntu-latest
+    name: Semgrep Security Analysis
+    if: github.actor != 'dependabot[bot]'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          # Run security-focused rules
+          config: >-
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        # If you don't have Semgrep token, it will run in offline mode
@@ -66,7 +66,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Set Aptos Workspace Config
         run: make set-workspace-config

@@ -54,7 +54,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Install Node.js
         uses: actions/setup-node@v4

@@ -41,7 +41,7 @@ jobs:
       - name: Install Aptos CLI
         uses: ./.github/actions/install-aptos-cli
         with:
-          version: "6.2.0"
+          version: "7.7.0"
 
       - name: Run Aptos Create Local Testnet
         run: |

@@ -0,0 +1,20 @@
+title = "Gitleaks Config (lean)"
+
+[allowlist]
+description = "Common non-secret noise"
+paths = [
+  '''(^|/)tests?(/|$)''',
+  '''(^|/)fixtures?(/|$)''',
+  '''(^|/)examples?(/|$)''',
+  '''(^|/)docs?(/|$)''',
+  '''(^|/)migrations?(/|$)''',
+  '''\.md$''',
+  '''package-lock\.json$''',
+  '''yarn\.lock$''',
+  '''pnpm-lock\.yaml$''',
+  '''\.png$''',
+  '''\.jpg$''',
+  '''\.jpeg$''',
+  '''\.gif$''',
+  '''\.svg$''',
+]
@@ -8,7 +8,20 @@ exclude: |
   (?x)^(
     CHANGELOG.md|
     pnpm-lock.yaml|
-    cov-reports
+    package-lock.json|
+    yarn.lock|
+    Cargo.lock|
+    poetry.lock|
+    Pipfile.lock|
+    cov-reports|
+    \.secrets\.baseline|
+    node_modules/.*|
+    vendor/.*|
+    coverage/.*|
+    build/.*|
+    dist/.*|
+    .*\.min\.(js|css)$|
+    .*\.bundle\.(js|css)$
   )$
 
 repos:
@@ -26,6 +39,46 @@ repos:
       - id: check-case-conflict
       - id: detect-private-key
 
+  # Enhanced secret detection
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        name: detect-secrets
+        description: Detect secrets in staged files
+        entry: detect-secrets-hook
+        language: python
+        types:
+          - text
+        args:
+          - --baseline
+          - .secrets.baseline
+        exclude: |
+          (?x)^(
+            \.secrets\.baseline|
+            \.env\.example.*|
+            \.env\.sample.*|
+            .*\.lock$|
+            .*\.log$|
+            pnpm-lock\.yaml|
+            package-lock\.json|
+            yarn\.lock|
+            Cargo\.lock|
+            poetry\.lock|
+            Pipfile\.lock|
+            .*\.min\.(js|css)$|
+            .*\.bundle\.(js|css)$|
+            node_modules/.*|
+            vendor/.*|
+            \.git/.*|
+            coverage/.*|
+            build/.*|
+            dist/.*
+          )$
+
+  # Note: TruffleHog runs in CI/CD pipeline via GitHub Actions
+  # See .github/workflows/security.yml for TruffleHog configuration
+
   - repo: local
     hooks:
       - id: format
@@ -35,6 +88,58 @@ repos:
         language: system
         pass_filenames: false
 
+      # Custom secret checks specific to your project
+      - id: check-env-secrets
+        name: check-env-secrets
+        description: Check .env files for potential secrets (staged files only)
+        entry: bash
+        args:
+          - -c
+          - |
+            # Only check staged .env files (not ignored files)
+            staged_env_files=$(git diff --staged --name-only --diff-filter=ACM | grep -E "\.env" | grep -v -E "\.(example|sample|template)" || true)
+            if [ -n "$staged_env_files" ]; then
+              for file in $staged_env_files; do
+                if [ -f "$file" ]; then
+                  echo "Checking staged file $file for secrets..."
+                  if grep -E "^[A-Z_]+=(sk_|pk_|ey[A-Za-z0-9]|[A-Za-z0-9+/]{20,})" "$file"; then
+                    echo "❌ Potential secret found in $file"
+                    exit 1
+                  fi
+                fi
+              done
+              echo "✅ No secrets found in staged .env files"
+            else
+              echo "✅ No .env files staged for commit"
+            fi
+        language: system
+        pass_filenames: false
+
+      - id: check-hardcoded-secrets
+        name: check-hardcoded-secrets
+        description: Check for hardcoded secrets in code files
+        entry: bash
+        args:
+          - -c
+          - |
+            # Check for common secret patterns in code
+            if git diff --staged --name-only | xargs grep -l -E "(api[_-]?key|secret[_-]?key|access[_-]?token|bearer[[:space:]]+[a-zA-Z0-9+/=]{20,})" 2>/dev/null; then
+              echo "❌ Potential hardcoded secret found in staged files"
+              echo "Please use environment variables or secure vaults instead"
+              exit 1
+            fi
+            echo "✅ No hardcoded secrets found"
+        language: system
+        pass_filenames: false
+        types:
+          - text
+        exclude: |
+          (?x)^(
+            .*\.(md|txt|json|lock|log)$|
+            .*test.*|
+            .*spec.*
+          )$
+
   - repo: https://github.com/lyz-code/yamlfix/
     rev: 1.17.0
     hooks: