From 693c4b88ae17033b83664a6dcbbe088e1164a10d Mon Sep 17 00:00:00 2001 From: Kanwalpreet Dhindsa Date: Mon, 29 Jun 2026 11:46:39 -0700 Subject: [PATCH] add socket tier 1 reachability analysis --- .github/workflows/socket-scan.yml | 102 ++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 .github/workflows/socket-scan.yml diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml new file mode 100644 index 000000000..be45a0150 --- /dev/null +++ b/.github/workflows/socket-scan.yml @@ -0,0 +1,102 @@ +# Socket reachability scan for stellar-core. +# For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability +# Multi-ecosystem: Rust (Cargo) + Python (scripts/pyproject.toml). +# +# --reach-ecosystems=cargo,pypi explicitly lists the ecosystems that get full Tier 1 reachability analysis. This repo's Coana-supported ecosystems are cargo (Cargo.toml) and pypi (scripts/pyproject.toml). The explicit list also excludes Coana's phantom NUGET detection: the repo has Builds/VisualStudio/stellar-core.sln (no actual C# code), which Coana otherwise mis-detects as a .NET project and aborts the scan demanding `dotnet`. Listing only cargo,pypi sidesteps that. +# +# >>> DEVELOPERS: if this repo adds a NEW Coana-supported ecosystem (e.g. an >>> npm package.json, a go.mod, a Gemfile), you MUST add that ecosystem to >>> this --reach-ecosystems list to get full Tier 1 reachability for it. >>> Supported ecosystem names: npm, pypi, cargo, golang, maven, gem, nuget. >>> Ecosystems NOT listed here still receive Tier 2 (precomputed) >>> reachability from Socket's backend automatically — but Tier 1 (the more >>> precise, your-code-aware analysis) only runs for the ecosystems listed. +# +# Schedule: Sun 12:24 UTC weekly. Use workflow_dispatch to run on demand. +# +# ============================================================================ +# Socket scan — reading the job status. (The scan step below produces this: an +# exit code + an optional ::warning:: annotation, which GitHub Actions renders +# as the job's state.) +# ============================================================================ +# GREEN (exit 0, no warning): scan completed and every analyzed vulnerability +# got full Tier 1 reachability (precise, your-code-aware). Nothing to do. +# YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"): +# scan completed, but Tier 1 could NOT be computed for some/all +# vulnerabilities, which fell back to Tier 2 (precomputed) reachability. +# You still get CVE detection + Tier 2 results, just reduced precision +# for the affected CVEs. The job is NOT failing. +# RED (non-zero exit): scan did not complete. Do not assume any part +# succeeded — could be reachability hard-failing, a missing language +# toolchain, the runner out of memory, a network/API error, or even the +# underlying CVE/SBOM detection failing. Check the logs and fix before +# relying on results. +# ---------------------------------------------------------------------------- +# THIS REPO STARTS YELLOW — a KNOWN upstream Coana bug, NOT your code or this +# scan setup: +# Coana's Rust analyzer hits "Maximum call stack size exceeded" on the cargo +# root + src/rust (4 CVEs) -> Tier 2 fallback. +# Reported to Socket; may be fixed upstream over time. Do NOT let this baseline +# yellow train the team to ignore yellow — a *new* yellow (a different Tier 2 +# fallback that appears later) is a real signal worth investigating. After the +# initial rollout, the team may resolve the baseline yellow at its discretion +# (once Coana ships a fix, or by adjusting the scan) so GREEN becomes the +# normal state and any future yellow stands out. +# ============================================================================ + +name: Socket reachability scan + +on: + schedule: + - cron: '24 12 * * 0' + workflow_dispatch: + +permissions: + contents: read + +env: + # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to + # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove + # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true + +jobs: + socket-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 + with: + toolchain: "1.86.0" + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.14.6" + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "24.18.0" + - name: Enable Corepack (yarn/pnpm per repo packageManager) + run: corepack enable + + - name: Install Socket CLI + run: npm install -g socket + + - name: Run Socket reachability scan + env: + SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} + run: | + # Stream the scan output through tee so the run log captures it AND + # we can grep it for Tier-2-fallback markers; capture the scan's + # exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan + # succeeded but logged a Tier 2 fallback, emit a ::warning:: + # annotation that GitHub Actions renders as a yellow run-level + # warning without failing the job. + set +e + socket scan create --reach \ + --org=stellar \ + --no-interactive \ + --reach-continue-on-no-source-files \ + --reach-continue-on-analysis-errors \ + --reach-continue-on-install-errors \ + --reach-continue-on-missing-lock-files \ + --reach-ecosystems=cargo,pypi \ + . 2>&1 | tee /tmp/scan.log + rc=${PIPESTATUS[0]} + if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then + echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1" + fi + exit $rc