Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 102 additions & 0 deletions .github/workflows/socket-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# Socket reachability scan for stellar-core.
# For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability
# Multi-ecosystem: Rust (Cargo) + Python (scripts/pyproject.toml).
#
# --reach-ecosystems=cargo,pypi explicitly lists the ecosystems that get full Tier 1 reachability analysis. This repo's Coana-supported ecosystems are cargo (Cargo.toml) and pypi (scripts/pyproject.toml). The explicit list also excludes Coana's phantom NUGET detection: the repo has Builds/VisualStudio/stellar-core.sln (no actual C# code), which Coana otherwise mis-detects as a .NET project and aborts the scan demanding `dotnet`. Listing only cargo,pypi sidesteps that.
#
# >>> DEVELOPERS: if this repo adds a NEW Coana-supported ecosystem (e.g. an >>> npm package.json, a go.mod, a Gemfile), you MUST add that ecosystem to >>> this --reach-ecosystems list to get full Tier 1 reachability for it. >>> Supported ecosystem names: npm, pypi, cargo, golang, maven, gem, nuget. >>> Ecosystems NOT listed here still receive Tier 2 (precomputed) >>> reachability from Socket's backend automatically — but Tier 1 (the more >>> precise, your-code-aware analysis) only runs for the ecosystems listed.
#
# Schedule: Sun 12:24 UTC weekly. Use workflow_dispatch to run on demand.
#
# ============================================================================
# Socket scan — reading the job status. (The scan step below produces this: an
# exit code + an optional ::warning:: annotation, which GitHub Actions renders
# as the job's state.)
# ============================================================================
# GREEN (exit 0, no warning): scan completed and every analyzed vulnerability
# got full Tier 1 reachability (precise, your-code-aware). Nothing to do.
# YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"):
# scan completed, but Tier 1 could NOT be computed for some/all
# vulnerabilities, which fell back to Tier 2 (precomputed) reachability.
# You still get CVE detection + Tier 2 results, just reduced precision
# for the affected CVEs. The job is NOT failing.
# RED (non-zero exit): scan did not complete. Do not assume any part
# succeeded — could be reachability hard-failing, a missing language
# toolchain, the runner out of memory, a network/API error, or even the
# underlying CVE/SBOM detection failing. Check the logs and fix before
# relying on results.
# ----------------------------------------------------------------------------
# THIS REPO STARTS YELLOW — a KNOWN upstream Coana bug, NOT your code or this
# scan setup:
# Coana's Rust analyzer hits "Maximum call stack size exceeded" on the cargo
# root + src/rust (4 CVEs) -> Tier 2 fallback.
# Reported to Socket; may be fixed upstream over time. Do NOT let this baseline
# yellow train the team to ignore yellow — a *new* yellow (a different Tier 2
# fallback that appears later) is a real signal worth investigating. After the
# initial rollout, the team may resolve the baseline yellow at its discretion
# (once Coana ships a fix, or by adjusting the scan) so GREEN becomes the
# normal state and any future yellow stands out.
# ============================================================================

name: Socket reachability scan

on:
schedule:
- cron: '24 12 * * 0'
workflow_dispatch:

permissions:
contents: read

env:
# Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to
# use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove
# after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op).
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
Comment on lines +52 to +55

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems about right since we are past the June 16th date.


jobs:
socket-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Fetch submodules before scanning Rust

In scheduled runs, actions/checkout does not fetch submodules unless submodules is set; this repo's production Rust build uses the Soroban gitlinks under src/rust/soroban/p21p27 (see src/Makefile.am), so a default checkout leaves those Cargo.toml/Cargo.lock files absent. Then socket scan create --reach . can only discover the top-level Rust manifests and the scan will miss the Soroban host crates that are actually linked into stellar-core, yielding false-negative reachability results.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we would have socket scan enabled in rs-soroban-env repo, its probably fine if this scan skips Soroban host scan. Also, with multi host architecture, its not worth scanning older protocol version hosts.

- uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: "1.86.0"
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.14.6"
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "24.18.0"
- name: Enable Corepack (yarn/pnpm per repo packageManager)
run: corepack enable

Comment on lines +72 to +74

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems relevant. core doesn't have package.json.

- name: Install Socket CLI
run: npm install -g socket
Comment on lines +75 to +76

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a possibility so pinning makes sense.


- name: Run Socket reachability scan
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
run: |
# Stream the scan output through tee so the run log captures it AND
# we can grep it for Tier-2-fallback markers; capture the scan's
# exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan
# succeeded but logged a Tier 2 fallback, emit a ::warning::
# annotation that GitHub Actions renders as a yellow run-level
# warning without failing the job.
set +e
socket scan create --reach \
--org=stellar \
--no-interactive \
--reach-continue-on-no-source-files \
--reach-continue-on-analysis-errors \
--reach-continue-on-install-errors \
--reach-continue-on-missing-lock-files \
--reach-ecosystems=cargo,pypi \
. 2>&1 | tee /tmp/scan.log
rc=${PIPESTATUS[0]}
if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then
Comment on lines +88 to +99
echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1"
fi
exit $rc
Loading