11name : Parallel Security Scans
2-
32on :
43 push :
54 branches : [ main, develop, safe-improvements ]
1413 description : ' Run deep security scan'
1514 type : boolean
1615 default : false
17-
1816concurrency :
1917 group : ${{ github.workflow }}-${{ github.ref }}
2018 cancel-in-progress : true
21-
2219env :
2320 NODE_VERSION : ' 20'
24-
2521jobs :
26-
2722 # ===========================================================================
2823 # FAST PATH: Initial Analysis (runs on every PR/commit)
2924 # ===========================================================================
30-
3125 # --- Static code analysis: ESLint security plugin ---
3226 initial-eslint-security :
3327 name : ' [Fast] ESLint Security Plugin'
4337 npm install --no-save eslint-plugin-security || true
4438 npx eslint --plugin security --rule 'security/detect-object-injection: warn' . || true
4539 continue-on-error: true
46-
4740# --- npm audit for dependency vulnerabilities ---
4841 initial-npm-audit :
4942 name : ' [Fast] npm Audit'
5750 - run : npm ci --legacy-peer-deps --force
5851 - run : npm audit --audit-level=high || true
5952 continue-on-error : true
60-
6153 # --- CodeQL: JavaScript/TypeScript ---
6254 initial-codeql :
6355 name : ' [Fast] CodeQL Analysis'
7870 uses : github/codeql-action/analyze@v3
7971 with :
8072 category : ' /language:javascript-typescript'
81-
8273 # --- Solidity: Slither quick scan (per PR) ---
8374 initial-slither :
8475 name : ' [Fast] Slither Quick Scan'
@@ -88,17 +79,20 @@ jobs:
8879 - uses : actions/setup-python@v5
8980 with :
9081 python-version : ' 3.11'
91- - run : pip install slither-analyzer
82+ - run : |
83+ # P4 fix: install solc so Slither can compile contracts
84+ pip install slither-analyzer solc-select
85+ solc-select install 0.8.19 && solc-select use 0.8.19 || true
9286name : Run Slither (critical detectors only)
9387 run : |
9488 find . -name '*.sol' -not -path '*/node_modules/*' | head -5 | \
95- xargs -I{} slither {} --detect reentrancy-eth,arbitrary-send,suicidal || true
89+ while read f; do
90+ slither "$f" --detect reentrancy-eth,arbitrary-send,suicidal || true
91+ done
9692continue-on-error : true
97-
9893 # ===========================================================================
9994 # DEEP PATH: Comprehensive Analysis (scheduled / manual / label: deep-scan)
10095 # ===========================================================================
101-
10296 # --- Multi-chain parallel security scan ---
10397 deep-scan-eth :
10498 name : ' [Deep] ETH Chain Scan'
@@ -109,11 +103,19 @@ jobs:
109103 - uses : actions/setup-python@v5
110104 with :
111105 python-version : ' 3.11'
112- - run : pip install slither-analyzer mythril
106+ - run : |
107+ # P4 fix: install solc so Slither/Mythril can compile contracts
108+ pip install slither-analyzer mythril solc-select
109+ solc-select install 0.8.19 && solc-select use 0.8.19 || true
113110name : Slither full scan (ETH)
114111 run : |
112+ mkdir -p reports
113+ # P4 fix: write per-file JSON to avoid overwrites
115114 find . -name '*.sol' -not -path '*/node_modules/*' | \
116- xargs -I{} slither {} --json reports/slither-eth.json || true
115+ while read f; do
116+ SAFE=$(echo "$f" | tr '/' '_' | tr '.' '_')
117+ slither "$f" --json "reports/slither-eth-${SAFE}.json" || true
118+ done
117119continue-on-error : true
118120 - name : Mythril symbolic execution (ETH)
119121 run : |
@@ -129,7 +131,6 @@ jobs:
129131 name : deep-scan-eth
130132 path : reports/
131133 retention-days : 30
132-
133134 deep-scan-bsc :
134135 name : ' [Deep] BSC Chain Scan'
135136 runs-on : ubuntu-latest
@@ -139,20 +140,26 @@ jobs:
139140 - uses : actions/setup-python@v5
140141 with :
141142 python-version : ' 3.11'
142- - run : pip install slither-analyzer
143+ - run : |
144+ # P4 fix: install solc so Slither can compile contracts
145+ pip install slither-analyzer solc-select
146+ solc-select install 0.8.19 && solc-select use 0.8.19 || true
143147name : Slither BSC configuration scan
144148 run : |
145149 mkdir -p reports
150+ # P4 fix: write per-file JSON to avoid overwrites
146151 find . -name '*.sol' -not -path '*/node_modules/*' | \
147- xargs -I{} slither {} --json reports/slither-bsc.json || true
152+ while read f; do
153+ SAFE=$(echo "$f" | tr '/' '_' | tr '.' '_')
154+ slither "$f" --json "reports/slither-bsc-${SAFE}.json" || true
155+ done
148156continue-on-error : true
149157 - uses : actions/upload-artifact@v4
150158 if : always()
151159 with :
152160 name : deep-scan-bsc
153161 path : reports/
154162 retention-days : 30
155-
156163 deep-scan-polygon :
157164 name : ' [Deep] Polygon Chain Scan'
158165 runs-on : ubuntu-latest
@@ -162,20 +169,26 @@ jobs:
162169 - uses : actions/setup-python@v5
163170 with :
164171 python-version : ' 3.11'
165- - run : pip install slither-analyzer
172+ - run : |
173+ # P4 fix: install solc so Slither can compile contracts
174+ pip install slither-analyzer solc-select
175+ solc-select install 0.8.19 && solc-select use 0.8.19 || true
166176name : Slither Polygon scan
167177 run : |
168178 mkdir -p reports
179+ # P4 fix: write per-file JSON to avoid overwrites
169180 find . -name '*.sol' -not -path '*/node_modules/*' | \
170- xargs -I{} slither {} --json reports/slither-polygon.json || true
181+ while read f; do
182+ SAFE=$(echo "$f" | tr '/' '_' | tr '.' '_')
183+ slither "$f" --json "reports/slither-polygon-${SAFE}.json" || true
184+ done
171185continue-on-error : true
172186 - uses : actions/upload-artifact@v4
173187 if : always()
174188 with :
175189 name : deep-scan-polygon
176190 path : reports/
177191 retention-days : 30
178-
179192 deep-scan-arbitrum :
180193 name : ' [Deep] Arbitrum Chain Scan'
181194 runs-on : ubuntu-latest
@@ -185,26 +198,35 @@ jobs:
185198 - uses : actions/setup-python@v5
186199 with :
187200 python-version : ' 3.11'
188- - run : pip install slither-analyzer
201+ - run : |
202+ # P4 fix: install solc so Slither can compile contracts
203+ pip install slither-analyzer solc-select
204+ solc-select install 0.8.19 && solc-select use 0.8.19 || true
189205name : Slither Arbitrum scan
190206 run : |
191207 mkdir -p reports
208+ # P4 fix: write per-file JSON to avoid overwrites
192209 find . -name '*.sol' -not -path '*/node_modules/*' | \
193- xargs -I{} slither {} --json reports/slither-arb.json || true
210+ while read f; do
211+ SAFE=$(echo "$f" | tr '/' '_' | tr '.' '_')
212+ slither "$f" --json "reports/slither-arb-${SAFE}.json" || true
213+ done
194214continue-on-error : true
195215 - uses : actions/upload-artifact@v4
196216 if : always()
197217 with :
198218 name : deep-scan-arbitrum
199219 path : reports/
200220 retention-days : 30
201-
202221 # --- Aggregate deep scan results ---
203222 deep-scan-aggregate :
204223 name : ' [Deep] Aggregate Security Report'
205224 runs-on : ubuntu-latest
206225 needs : [ deep-scan-eth, deep-scan-bsc, deep-scan-polygon, deep-scan-arbitrum ]
207226 if : always() && (github.event_name == 'schedule' || github.event.inputs.deep_scan == 'true')
227+ # P4 fix: map secret to env var so it can be used in if-conditional
228+ env :
229+ SLACK_WEBHOOK_URL : ${{ secrets.SLACK_WEBHOOK_URL }}
208230 steps :
209231 - uses : actions/checkout@v4
210232 - name : Download all scan reports
@@ -232,8 +254,9 @@ jobs:
232254 path : summary.md
233255 retention-days : 90
234256 - name : Notify Slack on critical findings
235- if : ${{ secrets.SLACK_WEBHOOK_URL }}
257+ # P4 fix: check env var (mapped from secret) instead of secret directly
258+ if : env.SLACK_WEBHOOK_URL != ''
236259 run : |
237260 curl -X POST -H 'Content-type: application/json' \
238261 --data '{"text":"Security deep scan completed for Audityzer. Check artifacts for details."}' \
239- ${{ secrets. SLACK_WEBHOOK_URL }} || true
262+ "${ SLACK_WEBHOOK_URL}" || true
0 commit comments