Skip to content

feat: implement automated security audit script for Wasm files (#274) #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Danielodingz wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: implement automated security audit script for Wasm files (#274) #280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
08f0f51
feat: implement automated security audit script for Wasm files (#274)
Danielodingz Apr 25, 2026
71905d8
fix: resolve CI failure by moving bridge and liquidation library file…
Danielodingz Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@ jobs:
with:
targets: wasm32-unknown-unknown
- uses: Swatinem/rust-cache@v2
- name: Build Contracts
run: cargo build --target wasm32-unknown-unknown --release
- name: Test sep41-token
run: cargo test -p sep41-token
- name: Test upgradeable
run: cargo test -p upgradeable
- name: Run Security Audit
run: ./scripts/security_audit.sh


48 changes: 48 additions & 0 deletions scripts/security_audit.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/bin/bash
set -e

echo "Starting Soroban Wasm Security Audit..."

if ! command -v find &> /dev/null; then
echo "Error: 'find' command is required."
exit 1
fi

WASM_COUNT=$(find target -name "*.wasm" 2>/dev/null | wc -l || echo 0)
if [ "$WASM_COUNT" -eq 0 ]; then
WASM_COUNT=$(find . -name "*.wasm" 2>/dev/null | wc -l || echo 0)
fi

if [ "$WASM_COUNT" -eq 0 ]; then
echo "No Wasm files found. Please ensure the project is built before running the audit."
exit 0
fi

echo "Found Wasm files:"
find target -name "*.wasm" 2>/dev/null || find . -name "*.wasm" 2>/dev/null

if command -v soroban-analyzer &> /dev/null; then
echo "Running soroban-analyzer..."
# SC2044 avoidance by using while read -r
(find target -name "*.wasm" 2>/dev/null || find . -name "*.wasm" 2>/dev/null) | while read -r file; do
if [ -n "$file" ]; then
echo "Analyzing $file..."
soroban-analyzer "$file"
fi
done
else
echo "Warning: 'soroban-analyzer' is not installed or available in PATH."
echo "Skipping dedicated Wasm static analysis."
fi

echo "Checking for suspicious patterns in Rust source files..."

if grep -rn "unsafe {" src/ contracts/ > /dev/null 2>&1; then
echo "Warning: 'unsafe' blocks found in source files. Please review for potential vulnerabilities."
fi

if grep -rn "env.panic" src/ contracts/ > /dev/null 2>&1; then
echo "Warning: 'env.panic' usages found. Review panic conditions to prevent DoS or reentrancy issues."
fi

echo "Security audit completed successfully."
0 src/bridge/lib.rs → src/bridge/src/lib.rs
View file
Open in desktop
File renamed without changes.
0 src/liquidation/lib.rs → src/liquidation/src/lib.rs
View file
Open in desktop
File renamed without changes.
Loading