Commit 3399aeb
Security scan, dependency audit, and repo hygiene (#203)
* Add LICENSE files, fix workspace license to GPL-3.0-only, and add license metadata
Add LICENSE-GPL3 and LICENSE-APACHE2 at the repo root. Set the workspace
default to GPL-3.0-only (runtime/node crates) and override to Apache-2.0
for library/SDK crates. Fix the repository URL to paritytech/web3-storage.
Add missing workspace metadata to file-system-primitives and
file-system-client. Add license fields to all package.json files.
* Add disclaimer, badges, security section, and fix license refs in READMEs
Add prototype/PoC warning banner, CI and license badges, and a Security
section pointing to the paritytech org-level policy to the root README.
Rewrite the root license section to describe the dual-license setup.
Update existing license references in sub-READMEs to link to the correct
LICENSE file, and add license footers to the 7 READMEs that were missing
them.
* Revise warnings and enhance badge visibility
Updated warning messages and added security and status badges.
* Update badge from Polkadot SDK to Substrate
* Update badge link from Polkadot SDK to Substrate
* Fix security badge URL, trailing whitespace, and disclaimer text
- Security badge now links to web3-storage/security (not
polkadot-bulletin-chain)
- Remove trailing whitespace on badge line
- Tighten disclaimer: concise but retains "not audited" and
"use at your own risk"
* Add SPDX license headers to all source files
GPL-3.0-only: provider-node, runtime, runtimes, user-interfaces (excl SDK)
Apache-2.0: pallet, primitives, client, precompiles, storage-interfaces,
user-interfaces/sdk/typescript, examples/papi
Closes #198 (part 3/3)
* Add CONTRIBUTING.md and sub-crate READMEs
Add CONTRIBUTING.md with setup instructions, PR process, code style,
dual-license table, and security policy. Add minimal READMEs to
pallet/, primitives/, provider-node/, and runtime/. Simplify the
Contributing section in the root README to point to CONTRIBUTING.md.
Closes part of #198.
* Add cargo-deny config, gitleaks baseline, and .gitignore fixes
Add deny.toml allowing all licenses found in the dependency tree.
Add .gitleaksignore to suppress false positives from well-known
Substrate dev account addresses in chain specs and docs.
Fix .gitignore: add desktop.ini, remove duplicate __pycache__ entry.
Audit results (PR 5 of #198):
- gitleaks: 9 findings, all false positives (Alice/Bob dev keys)
- cargo deny: all dependencies use permissive or GPL-compatible licenses
- JS deps: all permissive (MIT/Apache/ISC/BSD); 4 UNLICENSED are our own
packages that already declare Apache-2.0 in source package.json
- No git deps, no personal-namespace forks
- No hardcoded secrets, internal URLs, or stale CI scripts
- Google Doc link in docs/design/ is an intentionally public document
Closes #198.
* ci(security): add cargo-deny + gitleaks workflow
Adds a standalone security workflow that runs license/dependency auditing
(cargo-deny) and secret scanning (gitleaks) on push, PR, and weekly cron.
cargo-deny runs in the ci-unified image; gitleaks installs its binary on a
plain runner. Advisory checks are non-blocking on PRs to avoid DB drift.
* ci(security): run security scan daily instead of weekly
* ci(security): note daily cadence in schedule comment
* ci(security): suppress zizmor unpinned-images for security.yml
Same documented exception as check.yml — the container image is resolved at
runtime from the trusted .github/env via the set-image reusable workflow and
cannot be pinned to a digest in-line.
* ci(security): install current cargo-deny for CVSS v4.0 support
The cargo-deny bundled in the ci-unified image fails to load the advisory
database because it cannot parse RUSTSEC advisories using CVSS v4.0. Install
a current cargo-deny over the bundled one so the advisories check runs.
* ci(security): move GITLEAKS_VERSION to .github/env
Keep tool version pins centralized in .github/env like the other versions;
the gitleaks job loads it via the standard 'cat .github/env >> GITHUB_ENV' step.
* ci(security): run cargo-deny on ubuntu-latest, drop set-image
cargo deny only reads the dependency graph (cargo metadata + Cargo.lock), so
it needs no SDK toolchain or CI container. Running it on ubuntu-latest removes
the set-image dependency and the zizmor unpinned-images exception; RUSTUP_TOOLCHAIN
is set to stable so cargo metadata doesn't pull the pinned toolchain.
* ci(security): install cargo-deny via taiki-e/install-action
Use a prebuilt binary instead of 'cargo install' to avoid the ~2 min compile.
taiki-e/install-action pulls the latest cargo-deny release, which supports
CVSS v4.0 advisories.
---------
Co-authored-by: Branislav Kontur <bkontur@gmail.com>1 parent 1872810 commit 3399aeb
6 files changed
Lines changed: 149 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| 15 | + | |
15 | 16 | | |
16 | 17 | | |
17 | 18 | | |
| |||
61 | 62 | | |
62 | 63 | | |
63 | 64 | | |
64 | | - | |
65 | | - | |
66 | | - | |
67 | | - | |
| 65 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
318 | 318 | | |
319 | 319 | | |
320 | 320 | | |
321 | | - | |
322 | | - | |
323 | | - | |
324 | | - | |
325 | | - | |
326 | | - | |
327 | 321 | | |
328 | 322 | | |
329 | 323 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
0 commit comments