diff --git a/.clconfig.json b/.clconfig.json new file mode 100644 index 00000000..825a46e0 --- /dev/null +++ b/.clconfig.json @@ -0,0 +1,50 @@ +{ + "categories": [ + "all", + "ante", + "bank-precompile", + "ci", + "cli", + "contracts", + "deps", + "dist-precompile", + "eip-712", + "erc20", + "erc20-precompile", + "evm", + "feemarket", + "ibc", + "ics20-precompile", + "precompiles", + "proto", + "rpc", + "staking-precompile", + "tests" + ], + "change_types": { + "Bug Fixes": "bug\\s*fixes", + "Improvements": "improvements", + "API Breaking": "api\\s*breaking", + "State Machine Breaking": "state\\s*machine\\s*breaking" + }, + "expected_spellings": { + "ABI": "abi", + "API": "api", + "CI": "ci", + "Cosmos SDK": "cosmos[\\s-]*sdk", + "CLI": "cli", + "EIP-712": "eip[\\s-]*712", + "ERC-20": "erc[\\s-]*20", + "EVM": "evm", + "evmOS": "evmos", + "IBC": "ibc", + "ICS": "ics", + "ICS-20": "ics[\\s-]*20", + "OS": "os", + "PR": "pr", + "RPC": "rpc", + "SDK": "sdk" + }, + "legacy_version": null, + "target_repo": "https://github.com/evmos/os" +} \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..2d5fee78 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +# CODEOWNERS: https://help.github.com/articles/about-codeowners/ + +# Primary (global) repo maintainers +* @evmos/core-engineering diff --git a/.github/ISSUE_TEMPLATE/1-bug.yml b/.github/ISSUE_TEMPLATE/1-bug.yml new file mode 100644 index 00000000..53ebaa2d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/1-bug.yml @@ -0,0 +1,41 @@ +name: Bug report +description: Create a report to help us squash bugs! +title: "[Bug]: " +labels: ["T:bug"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! + Before smashing the submit button please review the template. + - type: checkboxes + attributes: + label: Is there an existing issue for this? + description: Please search existing issues to avoid creating duplicates. + options: + - label: I have searched the existing issues + required: true + + - type: textarea + id: what-happened + attributes: + label: What happened? + description: What did you expect to happen? If applicable add screenshots to explain your problem + placeholder: Tell us what you see! + validations: + required: true + - type: input + attributes: + label: evmOS Version + description: If applicable, specify which version you're using + placeholder: 0.16.0, 0.16.1, main, etc. + validations: + required: true + - type: textarea + id: reproduce + attributes: + label: How to reproduce? + description: If applicable could you describe how we could reproduce the bug + placeholder: Tell us what how to reproduce the bug! + validations: + required: false diff --git a/.github/ISSUE_TEMPLATE/2-feature-request.yml b/.github/ISSUE_TEMPLATE/2-feature-request.yml new file mode 100644 index 00000000..a0bc4249 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/2-feature-request.yml @@ -0,0 +1,41 @@ +name: Feature Request +description: Create a proposal to request a feature +title: "[Feature]: " +labels: ["T:feature-request"] +body: + - type: markdown + attributes: + value: | + ✰ Thanks for opening an issue! ✰ + - type: textarea + id: summary + attributes: + label: Summary + description: | + What are the user needs? + How could this solution fix the user facing problem? + placeholder: Short, concise description of the proposed feature/changes to the repository + validations: + required: true + - type: textarea + id: issue + attributes: + label: Issue Definition + description: | + If applicable please answer the below questions + Why do we need this feature? + What issues may be addressed by introducing this feature? + What benefits does evmOS stand to gain by including this feature? + Are there any disadvantages to including this feature? + placeholder: Description of the issue being faced + validations: + required: false + - type: textarea + id: proposal + attributes: + label: Proposed Feature + description: | + Description of the proposed features or changes to an existing feature to meet your needs + placeholder: Description of the proposed feature(s) + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000..3ba13e0c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1 @@ +blank_issues_enabled: false diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..cc8f55bd --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,39 @@ +# Description + + + + + + + +Closes: #XXXX + +--- + +## Author Checklist + +**All** items are required. Please add a note to the item if the item is not applicable and +please add links to any relevant follow up issues. + +I have... + +- [ ] tackled an existing issue or discussed with a team member +- [ ] left instructions on how to review the changes +- [ ] targeted the `main` branch + +## Reviewers Checklist + +**All** items are required. +Please add a note if the item is not applicable +and please add your handle next to the items reviewed +if you only reviewed selected items. + +I have... + +- [ ] added a relevant changelog entry to the `Unreleased` section in `CHANGELOG.md` +- [ ] confirmed all author checklist items have been addressed +- [ ] confirmed that this PR does not change production code +- [ ] reviewed content +- [ ] tested instructions (if applicable) +- [ ] confirmed all CI checks have passed diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..0a37da33 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: daily + time: "10:00" + open-pull-requests-limit: 10 + labels: + - dependencies + - package-ecosystem: docker + directory: "/" + schedule: + interval: daily + time: "10:00" + open-pull-requests-limit: 10 + - package-ecosystem: gomod + directory: "/" + schedule: + interval: daily + time: "10:00" + open-pull-requests-limit: 10 diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 00000000..9e532713 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,57 @@ +proto: + - changed-files: + - any-glob-to-any-file: [ + "proto/**/*", + "**/*.pb.go", + "**/*.pb.gw.go" + ] +types: + - changed-files: + - any-glob-to-any-file: [ + "types/**/*", + ] +build: + - changed-files: + - any-glob-to-any-file: [ + "Makefile", + "Dockerfile", + "docker-compose.yml", + "scripts/*", + "config.yml", + ] +CI: + - changed-files: + - any-glob-to-any-file: [ + ".github/**/*", + ".mergify.yml", + ".golangci.yml", + "buf.yaml", + ] +CLI: + - changed-files: + - any-glob-to-any-file: [ + "client/**/*", + "x/*/client/**/*", + ] +tests: + - changed-files: + - any-glob-to-any-file: [ + "tests/**/*", + "testutil/**/*", + "**/*_test.go", + ] +contracts: + - changed-files: + - any-glob-to-any-file: [ + "contracts/**/*", + "*.sol", + ] +precompile: + - changed-files: + - any-glob-to-any-file: [ + "precompiles/**/*", + ] +release: + - base-branch: "^release/" +feature: + - head-branch: "^feat/" diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml new file mode 100644 index 00000000..b587fa4a --- /dev/null +++ b/.github/workflows/auto-format.yml @@ -0,0 +1,48 @@ +name: Auto Format + +on: + pull_request: + +permissions: read-all + +jobs: + format-go-code: + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - uses: actions/setup-go@v5 + with: + go-version: "1.22" + check-latest: true + - uses: actions/checkout@v4 + with: + token: ${{ secrets.E2E_PAT }} + - run: go install mvdan.cc/gofumpt@latest + - run: make format + # Commit formatted files if necessary + - uses: stefanzweifel/git-auto-commit-action@v5 + with: + commit_message: run make format + + format-python-code: + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.E2E_PAT }} + - uses: actions/setup-python@v5 + with: + python-version: '3.10' + - run: pip install black isort + - run: make format-python + # Commit formatted files if necessary + - uses: stefanzweifel/git-auto-commit-action@v5 + with: + commit_message: run make format-python diff --git a/.github/workflows/bsr-push.yml b/.github/workflows/bsr-push.yml new file mode 100644 index 00000000..2606a4be --- /dev/null +++ b/.github/workflows/bsr-push.yml @@ -0,0 +1,21 @@ +name: Push to Buf Schema Registry +# This workflow runs when a new version tag is pushed to the repository. +# It then pushes the Protobuf files corresponding to that tag on to the +# Buf Schema Registry at https://buf.build/evmos/os +on: + push: + tags: + - "v*.*.*" +permissions: read-all + +jobs: + push: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: bufbuild/buf-setup-action@v1.35.1 + # Push Evmos protos to the Buf Schema Registry + - uses: bufbuild/buf-push-action@v1.2.0 + with: + input: ./proto + buf_token: ${{ secrets.BUF_TOKEN }} diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml new file mode 100644 index 00000000..6612a5d2 --- /dev/null +++ b/.github/workflows/changelog.yml @@ -0,0 +1,27 @@ +name: Changelog Linter + +on: + pull_request: + branches: + - main + - release/** +permissions: read-all + +jobs: + check_diff: + runs-on: ubuntu-latest + steps: + - name: Check Changelog for changes + uses: tarides/changelog-check-action@v3 + with: + changelog: CHANGELOG.md + + lint_changelog: + runs-on: ubuntu-latest + + steps: + - name: Check out the repository + uses: actions/checkout@v4 + + - name: Run changelog linter + uses: MalteHerrmann/changelog-lint-action@0918ef12e6dc06adce0743e1c6c13707a7c20323 diff --git a/.github/workflows/check-licenses.yml b/.github/workflows/check-licenses.yml new file mode 100644 index 00000000..3e751cb3 --- /dev/null +++ b/.github/workflows/check-licenses.yml @@ -0,0 +1,20 @@ +name: Check Licenses +on: + pull_request + +permissions: read-all + +jobs: + check-licenses: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + id: git_diff + with: + PATTERNS: | + **/**.go + **/**.proto + - run: | + make check-licenses + if: env.GIT_DIFF diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..6b7d5f52 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,80 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + pull_request: +permissions: read-all + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['go', 'javascript', 'python'] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/**.go + go.mod + go.sum + *.toml + **/**.py + **/**.js + **/**.ts + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + queries: crypto-com/cosmos-sdk-codeql@main,security-and-quality + if: env.GIT_DIFF + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + if: env.GIT_DIFF + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + if: env.GIT_DIFF diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml new file mode 100644 index 00000000..c1dbead4 --- /dev/null +++ b/.github/workflows/dependencies.yml @@ -0,0 +1,28 @@ +name: "Dependency Review" +on: pull_request + +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + check-latest: true + - name: "Checkout Repository" + uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/**.go + go.mod + go.sum + *.toml + - name: "Dependency Review" + uses: actions/dependency-review-action@v4 + if: env.GIT_DIFF + - name: "Go vulnerability check" + run: make vulncheck + if: env.GIT_DIFF diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 00000000..cb283e67 --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,14 @@ +name: "Pull Request Labeler" +on: + pull_request: +permissions: read-all + +jobs: + triage: + runs-on: ubuntu-latest + permissions: + pull-requests: write # For reading the PR and adding the label + steps: + - uses: actions/labeler@v5 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..d9a7e9ff --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,53 @@ +name: Lint +# Lint runs golangci-lint over the entire Evmos repository This workflow is +# run on every pull request and push to main The `golangci` will pass without +# running if no *.{go, mod, sum} files have been changed. +on: + pull_request: + +permissions: read-all + +jobs: + golangci: + name: Run golangci-lint + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + # Required: setup-go, for all versions v3.0.0+ of golangci-lint + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + check-latest: true + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/**.go + go.mod + go.sum + *.toml + - uses: golangci/golangci-lint-action@v6.1.0 + with: + # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. + version: latest + args: --timeout 10m + github-token: ${{ secrets.github_token }} + # Check only if there are differences in the source code + if: env.GIT_DIFF + markdown-lint: + name: Run markdown-lint + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/**.md + - uses: nosborn/github-action-markdown-cli@v3.3.0 + with: + files: . + config_file: .markdownlint.yml + ignore_path: .markdownlintignore + # Check only if there are differences in the source code + if: env.GIT_DIFF diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml new file mode 100644 index 00000000..0d1e2bb4 --- /dev/null +++ b/.github/workflows/markdown-links.yml @@ -0,0 +1,24 @@ +name: Check Markdown links +on: + pull_request: + branches: + - main + - release/** +permissions: read-all + +jobs: + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **.md + - uses: gaurav-nelson/github-action-markdown-link-check@master + with: + check-modified-files-only: "yes" + use-quiet-mode: "yes" + base-branch: "main" + config-file: "mlc_config.json" + if: env.GIT_DIFF diff --git a/.github/workflows/proto.yml b/.github/workflows/proto.yml new file mode 100644 index 00000000..31b959dd --- /dev/null +++ b/.github/workflows/proto.yml @@ -0,0 +1,48 @@ +name: Protobuf +# Protobuf runs buf (https://buf.build/) lint and check-breakage +# This workflow is only run when a .proto file has been changed +on: + pull_request: + paths: + - "proto/**" + +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + id: git_diff + with: + PATTERNS: | + **/**.proto + **/buf.yaml + buf.work.yaml + buf.gen.yaml + - run: | + make proto-gen + if: env.GIT_DIFF + + lint: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v4 + - uses: bufbuild/buf-setup-action@v1.35.1 + - uses: bufbuild/buf-lint-action@v1 + with: + input: "proto" + + break-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: bufbuild/buf-setup-action@v1.35.1 + - uses: bufbuild/buf-breaking-action@v1 + with: + input: "proto" + against: "https://github.com/${{ github.repository }}.git#branch=${{ github.event.pull_request.base.ref }},ref=HEAD~1,subdir=proto" diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 00000000..c9d206f5 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,36 @@ +name: Run Gosec +on: + pull_request: +permissions: read-all + +jobs: + Gosec: + permissions: + security-events: write + + runs-on: ubuntu-latest + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v4 + - name: Get Diff + uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/*.go + go.mod + go.sum + *.toml + - name: Run Gosec Security Scanner + uses: cosmos/gosec@master + with: + # we let the report trigger content trigger a failure using the GitHub Security features. + args: "-no-fail -fmt sarif -out results.sarif ./..." + if: "env.GIT_DIFF_FILTERED != ''" + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + if: "env.GIT_DIFF_FILTERED != ''" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..c41ed9c4 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,35 @@ +name: Semgrep +on: + # Scan changed files in PRs, block on new issues only (existing issues ignored) + pull_request: + +permissions: read-all + +jobs: + # Update from: https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions [removing GH Security Dashboard] + semgrep: + name: Scan + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + if: (github.actor != 'dependabot[bot]') + steps: + - name: Permission issue fix + run: git config --global --add safe.directory /__w/evmos/os + - uses: actions/checkout@v4 + - name: Get Diff + uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/*.go + **/*.js + **/*.ts + **/*.sol + go.mod + go.sum + *.toml + - uses: actions/checkout@v4 + - run: semgrep ci --config=auto + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + if: "env.GIT_DIFF_FILTERED != ''" diff --git a/.github/workflows/slither.yml b/.github/workflows/slither.yml new file mode 100644 index 00000000..c25245a5 --- /dev/null +++ b/.github/workflows/slither.yml @@ -0,0 +1,32 @@ +name: Slither Analysis + +on: + pull_request: +permissions: read-all + +jobs: + analyze: + name: Run Slither + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get Diff + uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/*.sol + - name: Node dependencies Install + run: | + cd contracts && npm i + cp -r node_modules/@openzeppelin . + - name: Run Slither Action + uses: crytic/slither-action@v0.4.0 + continue-on-error: true + id: slither + with: + target: contracts/ + if: "env.GIT_DIFF" \ No newline at end of file diff --git a/.github/workflows/solhint.yml b/.github/workflows/solhint.yml new file mode 100644 index 00000000..46378cf9 --- /dev/null +++ b/.github/workflows/solhint.yml @@ -0,0 +1,26 @@ +name: Solhint +# This workflow is only run when a .sol file has been changed +on: + pull_request: + +permissions: read-all + +jobs: + solhint: + name: runner / solhint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + id: git_diff + with: + PATTERNS: | + **/**.sol + - uses: actions/setup-node@v4 + if: env.GIT_DIFF + - run: npm install -g solhint + if: env.GIT_DIFF + - run: solhint --version + if: env.GIT_DIFF + - run: solhint '**/*.sol' + if: env.GIT_DIFF diff --git a/.github/workflows/solidity-test.yml b/.github/workflows/solidity-test.yml new file mode 100644 index 00000000..b76befbb --- /dev/null +++ b/.github/workflows/solidity-test.yml @@ -0,0 +1,29 @@ +name: Solidity Test +on: + pull_request: + branches: + - main + - release/** +permissions: read-all + +jobs: + test-solidity: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + check-latest: true + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + **/**.sol + **/**.go + go.mod + go.sum + *.toml + - name: Test Solidity + run: | + make test-solidity + if: env.GIT_DIFF diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..ea9704e7 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,23 @@ +name: "Close stale issues & pull requests" +on: + schedule: + - cron: "0 0 * * *" +permissions: read-all + +jobs: + stale: + permissions: + pull-requests: write # For reading the PR and adding the label + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v9 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days-before-close if no further activity occurs." + stale-issue-message: "This issue is stale because it has been open 45 days with no activity. Remove `Status: Stale` label or comment or this will be closed in 7 days." + days-before-stale: 45 + days-before-close: 7 + exempt-issue-labels: "Status: Blocked, Type: Bug, pinned, automerge" + exempt-pr-labels: "Status: Blocked, Type: Bug, pinned, automerge" + stale-pr-label: "Status: Stale" + stale-issue-label: "Status: Stale" diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 00000000..5c2429e7 --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,38 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +--- +name: Lint Code Base + +on: + pull_request: +permissions: read-all +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v6 + env: + LINTER_RULES_PATH: / + YAML_CONFIG_FILE: .yamllint + VALIDATE_ALL_CODEBASE: false + MARKDOWN_CONFIG_FILE: .markdownlint.yml + PROTOBUF_CONFIG_FILE: .protolint.yml + VALIDATE_NATURAL_LANGUAGE: false + VALIDATE_OPENAPI: false + VALIDATE_JSCPD: false + VALIDATE_GO: false + PYTHON_PYLINT_CONFIG_FILE: .pylintrc + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + FILTER_REGEX_EXCLUDE: .*.jsonnet diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..7d1644d7 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,73 @@ +name: Tests +on: + pull_request: + push: + branches: + - main + - release/** +permissions: read-all + +jobs: + cleanup-runs: + runs-on: ubuntu-latest + steps: + - uses: rokroskar/workflow-run-cleanup-action@master + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + if: "!startsWith(github.ref, 'refs/tags/') && github.ref != 'refs/heads/main'" + + test-unit-cover: + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v5 + with: + go-version: "1.22" + check-latest: true + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + .github/workflows/test.yml + **/**.sol + **/**.go + go.mod + go.sum + *.toml + - name: Test and Create Coverage Report + run: | + make test-unit-cover + if: env.GIT_DIFF + - uses: codecov/codecov-action@v4 + with: + file: ./coverage.txt + # We were getting a 500 error on codecov servers + # so we decided to avoid blocking the CI if this fails + fail_ci_if_error: false + if: env.GIT_DIFF + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + test-scripts: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6.1.2 + with: + PATTERNS: | + .github/workflows/test.yml + ./scripts/** + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + cache: "pip" # caching pip dependencies + if: env.GIT_DIFF + - name: Install Pytest + run: | + python -m pip install --upgrade pip + pip install pytest + if: env.GIT_DIFF + - name: Test Scripts + run: | + make test-scripts + if: env.GIT_DIFF diff --git a/.gitignore b/.gitignore index 66fd13c9..514c5eff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,15 +1,30 @@ -# Binaries for programs and plugins +# OS +.DS_Store +*.swp +*.swo +*.swl +*.swm +*.swn +*.pyc *.exe *.exe~ *.dll *.so *.dylib +.dccache -# Test binary, built with `go test -c` -*.test +# Testing +coverage.txt +yarn.lock -# Output of the go coverage tool, specifically when used with LiteIDE -*.out +# IDE +.idea/ +.vscode/ +*.iml +*.code-workspace -# Dependency directories (remove the comment below to include it) -# vendor/ +# Node.js +**/node_modules + +# OpenZeppelin contracts +contracts/@openzeppelin/* diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..e4afafed --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,2767 @@ +# This file has been auto-generated. Do not edit manually. +# If you would like to contribute new rules, please use +# cmd/generate/config/main.go and follow the contributing guidelines +# at https://github.com/zricethezav/gitleaks/blob/master/CONTRIBUTING.md + +# This is the default gitleaks configuration file. +# Rules and allowlists are defined within this file. +# Rules instruct gitleaks on what should be considered a secret. +# Allowlists instruct gitleaks on what is allowed, i.e. not a secret. + +title = "gitleaks config" + +[allowlist] +description = "global allow lists" +paths = [ + '''gitleaks.toml''', + '''(.*?)(jpg|gif|pdf|png|svg)$''', + '''(go.mod|go.sum)$''', +] +stopwords = [ + '''secp256k1''', + '''evmospub1addwnpepqgcxazmq6wgt2j4rdfumsfwla0zfk8e5sws3p3zg5dkm9007hmfysxas0u2''', +] + +[[rules]] +description = "Adafruit API Key" +id = "adafruit-api-key" +regex = '''(?i)(?:adafruit)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "adafruit", +] + +[[rules]] +description = "Adobe Client ID (OAuth Web)" +id = "adobe-client-id" +regex = '''(?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "adobe", +] + +[[rules]] +description = "Adobe Client Secret" +id = "adobe-client-secret" +regex = '''(?i)\b((p8e-)(?i)[a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "p8e-", +] + +[[rules]] +description = "Age secret key" +id = "age secret key" +regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}''' +keywords = [ + "age-secret-key-1", +] + +[[rules]] +description = "Airtable API Key" +id = "airtable-api-key" +regex = '''(?i)(?:airtable)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{17})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "airtable", +] + +[[rules]] +description = "Algolia API Key" +id = "algolia-api-key" +regex = '''(?i)(?:algolia)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "algolia", +] + +[[rules]] +description = "Alibaba AccessKey ID" +id = "alibaba-access-key-id" +regex = '''(?i)\b((LTAI)(?i)[a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "ltai", +] + +[[rules]] +description = "Alibaba Secret Key" +id = "alibaba-secret-key" +regex = '''(?i)(?:alibaba)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "alibaba", +] + +[[rules]] +description = "Asana Client ID" +id = "asana-client-id" +regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "asana", +] + +[[rules]] +description = "Asana Client Secret" +id = "asana-client-secret" +regex = '''(?i)(?:asana)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "asana", +] + +[[rules]] +description = "Atlassian API token" +id = "atlassian-api-token" +regex = '''(?i)(?:atlassian|confluence|jira)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "atlassian","confluence","jira", +] + +[[rules]] +description = "AWS" +id = "aws-access-token" +regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' +keywords = [ + "akia","agpa","aida","aroa","aipa","anpa","anva","asia", +] + +[[rules]] +description = "Beamer API token" +id = "beamer-api-token" +regex = '''(?i)(?:beamer)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(b_[a-z0-9=_\-]{44})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "beamer", +] + +[[rules]] +description = "Bitbucket Client ID" +id = "bitbucket-client-id" +regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "bitbucket", +] + +[[rules]] +description = "Bitbucket Client Secret" +id = "bitbucket-client-secret" +regex = '''(?i)(?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "bitbucket", +] + +[[rules]] +description = "Bittrex Access Key" +id = "bittrex-access-key" +regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "bittrex", +] + +[[rules]] +description = "Bittrex Secret Key" +id = "bittrex-secret-key" +regex = '''(?i)(?:bittrex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "bittrex", +] + +[[rules]] +description = "Clojars API token" +id = "clojars-api-token" +regex = '''(?i)(CLOJARS_)[a-z0-9]{60}''' +keywords = [ + "clojars", +] + +[[rules]] +description = "Codecov Access Token" +id = "codecov-access-token" +regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "codecov", +] + +[[rules]] +description = "Coinbase Access Token" +id = "coinbase-access-token" +regex = '''(?i)(?:coinbase)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "coinbase", +] + +[[rules]] +description = "Confluent Access Token" +id = "confluent-access-token" +regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "confluent", +] + +[[rules]] +description = "Confluent Secret Key" +id = "confluent-secret-key" +regex = '''(?i)(?:confluent)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "confluent", +] + +[[rules]] +description = "Contentful delivery API token" +id = "contentful-delivery-api-token" +regex = '''(?i)(?:contentful)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{43})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "contentful", +] + +[[rules]] +description = "Databricks API token" +id = "databricks-api-token" +regex = '''(?i)\b(dapi[a-h0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "dapi", +] + +[[rules]] +description = "Datadog Access Token" +id = "datadog-access-token" +regex = '''(?i)(?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "datadog", +] + +[[rules]] +description = "DigitalOcean OAuth Access Token" +id = "digitalocean-access-token" +regex = '''(?i)\b(doo_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "doo_v1_", +] + +[[rules]] +description = "DigitalOcean Personal Access Token" +id = "digitalocean-pat" +regex = '''(?i)\b(dop_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "dop_v1_", +] + +[[rules]] +description = "DigitalOcean OAuth Refresh Token" +id = "digitalocean-refresh-token" +regex = '''(?i)\b(dor_v1_[a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "dor_v1_", +] + +[[rules]] +description = "Discord API key" +id = "discord-api-token" +regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "discord", +] + +[[rules]] +description = "Discord client ID" +id = "discord-client-id" +regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{18})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "discord", +] + +[[rules]] +description = "Discord client secret" +id = "discord-client-secret" +regex = '''(?i)(?:discord)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "discord", +] + +[[rules]] +description = "Doppler API token" +id = "doppler-api-token" +regex = '''(dp\.pt\.)(?i)[a-z0-9]{43}''' +keywords = [ + "doppler", +] + +[[rules]] +description = "Droneci Access Token" +id = "droneci-access-token" +regex = '''(?i)(?:droneci)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "droneci", +] + +[[rules]] +description = "Dropbox API secret" +id = "dropbox-api-token" +regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{15})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "dropbox", +] + +[[rules]] +description = "Dropbox long lived API token" +id = "dropbox-long-lived-api-token" +regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{11}(AAAAAAAAAA)[a-z0-9\-_=]{43})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "dropbox", +] + +[[rules]] +description = "Dropbox short lived API token" +id = "dropbox-short-lived-api-token" +regex = '''(?i)(?:dropbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(sl\.[a-z0-9\-=_]{135})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "dropbox", +] + +[[rules]] +description = "Duffel API token" +id = "duffel-api-token" +regex = '''duffel_(test|live)_(?i)[a-z0-9_\-=]{43}''' +keywords = [ + "duffel", +] + +[[rules]] +description = "Dynatrace API token" +id = "dynatrace-api-token" +regex = '''dt0c01\.(?i)[a-z0-9]{24}\.[a-z0-9]{64}''' +keywords = [ + "dynatrace", +] + +[[rules]] +description = "EasyPost API token" +id = "easypost-api-token" +regex = '''EZAK(?i)[a-z0-9]{54}''' +keywords = [ + "ezak", +] + +[[rules]] +description = "EasyPost test API token" +id = "easypost-test-api-token" +regex = '''EZTK(?i)[a-z0-9]{54}''' +keywords = [ + "eztk", +] + +[[rules]] +description = "Etsy Access Token" +id = "etsy-access-token" +regex = '''(?i)(?:etsy)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "etsy", +] + +[[rules]] +description = "Facebook" +id = "facebook" +regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "facebook", +] + +[[rules]] +description = "Fastly API key" +id = "fastly-api-token" +regex = '''(?i)(?:fastly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "fastly", +] + +[[rules]] +description = "Finicity API token" +id = "finicity-api-token" +regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "finicity", +] + +[[rules]] +description = "Finicity Client Secret" +id = "finicity-client-secret" +regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "finicity", +] + +[[rules]] +description = "Finnhub Access Token" +id = "finnhub-access-token" +regex = '''(?i)(?:finnhub)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "finnhub", +] + +[[rules]] +description = "Flickr Access Token" +id = "flickr-access-token" +regex = '''(?i)(?:flickr)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "flickr", +] + +[[rules]] +description = "Flutterwave Encryption Key" +id = "flutterwave-encryption-key" +regex = '''FLWSECK_TEST-(?i)[a-h0-9]{12}''' +keywords = [ + "flwseck_test", +] + +[[rules]] +description = "Finicity Public Key" +id = "flutterwave-public-key" +regex = '''FLWPUBK_TEST-(?i)[a-h0-9]{32}-X''' +keywords = [ + "flwpubk_test", +] + +[[rules]] +description = "Flutterwave Secret Key" +id = "flutterwave-secret-key" +regex = '''FLWSECK_TEST-(?i)[a-h0-9]{32}-X''' +keywords = [ + "flwseck_test", +] + +[[rules]] +description = "Frame.io API token" +id = "frameio-api-token" +regex = '''fio-u-(?i)[a-z0-9\-_=]{64}''' +keywords = [ + "fio-u-", +] + +[[rules]] +description = "Freshbooks Access Token" +id = "freshbooks-access-token" +regex = '''(?i)(?:freshbooks)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "freshbooks", +] + +[[rules]] +description = "GCP API key" +id = "gcp-api-key" +regex = '''(?i)\b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "aiza", +] + +[[rules]] +description = "Generic API Key" +id = "generic-api-key" +regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +entropy = 3.5 +keywords = [ + "key","api","token","secret","client","passwd","password","auth","access", +] +[rules.allowlist] +paths = [ + '''Database.refactorlog''' +] +stopwords= [ + "client", + "endpoint", + "vpn", + "_ec2_", + "aws_", + "authorize", + "author", + "define", + "config", + "credential", + "setting", + "sample", + "xxxxxx", + "000000", + "buffer", + "delete", + "aaaaaa", + "fewfwef", + "getenv", + "env_", + "system", + "example", + "ecdsa", + "sha256", + "sha1", + "sha2", + "md5", + "alert", + "wizard", + "target", + "onboard", + "welcome", + "page", + "exploit", + "experiment", + "expire", + "rabbitmq", + "scraper", + "widget", + "music", + "dns_", + "dns-", + "yahoo", + "want", + "json", + "action", + "script", + "fix_", + "fix-", + "develop", + "compas", + "stripe", + "service", + "master", + "metric", + "tech", + "gitignore", + "rich", + "open", + "stack", + "irc_", + "irc-", + "sublime", + "kohana", + "has_", + "has-", + "fabric", + "wordpres", + "role", + "osx_", + "osx-", + "boost", + "addres", + "queue", + "working", + "sandbox", + "internet", + "print", + "vision", + "tracking", + "being", + "generator", + "traffic", + "world", + "pull", + "rust", + "watcher", + "small", + "auth", + "full", + "hash", + "more", + "install", + "auto", + "complete", + "learn", + "paper", + "installer", + "research", + "acces", + "last", + "binding", + "spine", + "into", + "chat", + "algorithm", + "resource", + "uploader", + "video", + "maker", + "next", + "proc", + "lock", + "robot", + "snake", + "patch", + "matrix", + "drill", + "terminal", + "term", + "stuff", + "genetic", + "generic", + "identity", + "audit", + "pattern", + "audio", + "web_", + "web-", + "crud", + "problem", + "statu", + "cms-", + "cms_", + "arch", + "coffee", + "workflow", + "changelog", + "another", + "uiview", + "content", + "kitchen", + "gnu_", + "gnu-", + "gnu.", + "conf", + "couchdb", + "client", + "opencv", + "rendering", + "update", + "concept", + "varnish", + "gui_", + "gui-", + "gui.", + "version", + "shared", + "extra", + "product", + "still", + "not_", + "not-", + "not.", + "drop", + "ring", + "png_", + "png-", + "png.", + "actively", + "import", + "output", + "backup", + "start", + "embedded", + "registry", + "pool", + "semantic", + "instagram", + "bash", + "system", + "ninja", + "drupal", + "jquery", + "polyfill", + "physic", + "league", + "guide", + "pack", + "synopsi", + "sketch", + "injection", + "svg_", + "svg-", + "svg.", + "friendly", + "wave", + "convert", + "manage", + "camera", + "link", + "slide", + "timer", + "wrapper", + "gallery", + "url_", + "url-", + "url.", + "todomvc", + "requirej", + "party", + "http", + "payment", + "async", + "library", + "home", + "coco", + "gaia", + "display", + "universal", + "func", + "metadata", + "hipchat", + "under", + "room", + "config", + "personal", + "realtime", + "resume", + "database", + "testing", + "tiny", + "basic", + "forum", + "meetup", + "yet_", + "yet-", + "yet.", + "cento", + "dead", + "fluentd", + "editor", + "utilitie", + "run_", + "run-", + "run.", + "box_", + "box-", + "box.", + "bot_", + "bot-", + "bot.", + "making", + "sample", + "group", + "monitor", + "ajax", + "parallel", + "cassandra", + "ultimate", + "site", + "get_", + "get-", + "get.", + "gen_", + "gen-", + "gen.", + "gem_", + "gem-", + "gem.", + "extended", + "image", + "knife", + "asset", + "nested", + "zero", + "plugin", + "bracket", + "mule", + "mozilla", + "number", + "act_", + "act-", + "act.", + "map_", + "map-", + "map.", + "micro", + "debug", + "openshift", + "chart", + "expres", + "backend", + "task", + "source", + "translate", + "jbos", + "composer", + "sqlite", + "profile", + "mustache", + "mqtt", + "yeoman", + "have", + "builder", + "smart", + "like", + "oauth", + "school", + "guideline", + "captcha", + "filter", + "bitcoin", + "bridge", + "color", + "toolbox", + "discovery", + "new_", + "new-", + "new.", + "dashboard", + "when", + "setting", + "level", + "post", + "standard", + "port", + "platform", + "yui_", + "yui-", + "yui.", + "grunt", + "animation", + "haskell", + "icon", + "latex", + "cheat", + "lua_", + "lua-", + "lua.", + "gulp", + "case", + "author", + "without", + "simulator", + "wifi", + "directory", + "lisp", + "list", + "flat", + "adventure", + "story", + "storm", + "gpu_", + "gpu-", + "gpu.", + "store", + "caching", + "attention", + "solr", + "logger", + "demo", + "shortener", + "hadoop", + "finder", + "phone", + "pipeline", + "range", + "textmate", + "showcase", + "app_", + "app-", + "app.", + "idiomatic", + "edit", + "our_", + "our-", + "our.", + "out_", + "out-", + "out.", + "sentiment", + "linked", + "why_", + "why-", + "why.", + "local", + "cube", + "gmail", + "job_", + "job-", + "job.", + "rpc_", + "rpc-", + "rpc.", + "contest", + "tcp_", + "tcp-", + "tcp.", + "usage", + "buildout", + "weather", + "transfer", + "automated", + "sphinx", + "issue", + "sas_", + "sas-", + "sas.", + "parallax", + "jasmine", + "addon", + "machine", + "solution", + "dsl_", + "dsl-", + "dsl.", + "episode", + "menu", + "theme", + "best", + "adapter", + "debugger", + "chrome", + "tutorial", + "life", + "step", + "people", + "joomla", + "paypal", + "developer", + "solver", + "team", + "current", + "love", + "visual", + "date", + "data", + "canva", + "container", + "future", + "xml_", + "xml-", + "xml.", + "twig", + "nagio", + "spatial", + "original", + "sync", + "archived", + "refinery", + "science", + "mapping", + "gitlab", + "play", + "ext_", + "ext-", + "ext.", + "session", + "impact", + "set_", + "set-", + "set.", + "see_", + "see-", + "see.", + "migration", + "commit", + "community", + "shopify", + "what'", + "cucumber", + "statamic", + "mysql", + "location", + "tower", + "line", + "code", + "amqp", + "hello", + "send", + "index", + "high", + "notebook", + "alloy", + "python", + "field", + "document", + "soap", + "edition", + "email", + "php_", + "php-", + "php.", + "command", + "transport", + "official", + "upload", + "study", + "secure", + "angularj", + "akka", + "scalable", + "package", + "request", + "con_", + "con-", + "con.", + "flexible", + "security", + "comment", + "module", + "flask", + "graph", + "flash", + "apache", + "change", + "window", + "space", + "lambda", + "sheet", + "bookmark", + "carousel", + "friend", + "objective", + "jekyll", + "bootstrap", + "first", + "article", + "gwt_", + "gwt-", + "gwt.", + "classic", + "media", + "websocket", + "touch", + "desktop", + "real", + "read", + "recorder", + "moved", + "storage", + "validator", + "add-on", + "pusher", + "scs_", + "scs-", + "scs.", + "inline", + "asp_", + "asp-", + "asp.", + "timeline", + "base", + "encoding", + "ffmpeg", + "kindle", + "tinymce", + "pretty", + "jpa_", + "jpa-", + "jpa.", + "used", + "user", + "required", + "webhook", + "download", + "resque", + "espresso", + "cloud", + "mongo", + "benchmark", + "pure", + "cakephp", + "modx", + "mode", + "reactive", + "fuel", + "written", + "flickr", + "mail", + "brunch", + "meteor", + "dynamic", + "neo_", + "neo-", + "neo.", + "new_", + "new-", + "new.", + "net_", + "net-", + "net.", + "typo", + "type", + "keyboard", + "erlang", + "adobe", + "logging", + "ckeditor", + "message", + "iso_", + "iso-", + "iso.", + "hook", + "ldap", + "folder", + "reference", + "railscast", + "www_", + "www-", + "www.", + "tracker", + "azure", + "fork", + "form", + "digital", + "exporter", + "skin", + "string", + "template", + "designer", + "gollum", + "fluent", + "entity", + "language", + "alfred", + "summary", + "wiki", + "kernel", + "calendar", + "plupload", + "symfony", + "foundry", + "remote", + "talk", + "search", + "dev_", + "dev-", + "dev.", + "del_", + "del-", + "del.", + "token", + "idea", + "sencha", + "selector", + "interface", + "create", + "fun_", + "fun-", + "fun.", + "groovy", + "query", + "grail", + "red_", + "red-", + "red.", + "laravel", + "monkey", + "slack", + "supported", + "instant", + "value", + "center", + "latest", + "work", + "but_", + "but-", + "but.", + "bug_", + "bug-", + "bug.", + "virtual", + "tweet", + "statsd", + "studio", + "path", + "real-time", + "frontend", + "notifier", + "coding", + "tool", + "firmware", + "flow", + "random", + "mediawiki", + "bosh", + "been", + "beer", + "lightbox", + "theory", + "origin", + "redmine", + "hub_", + "hub-", + "hub.", + "require", + "pro_", + "pro-", + "pro.", + "ant_", + "ant-", + "ant.", + "any_", + "any-", + "any.", + "recipe", + "closure", + "mapper", + "event", + "todo", + "model", + "redi", + "provider", + "rvm_", + "rvm-", + "rvm.", + "program", + "memcached", + "rail", + "silex", + "foreman", + "activity", + "license", + "strategy", + "batch", + "streaming", + "fast", + "use_", + "use-", + "use.", + "usb_", + "usb-", + "usb.", + "impres", + "academy", + "slider", + "please", + "layer", + "cros", + "now_", + "now-", + "now.", + "miner", + "extension", + "own_", + "own-", + "own.", + "app_", + "app-", + "app.", + "debian", + "symphony", + "example", + "feature", + "serie", + "tree", + "project", + "runner", + "entry", + "leetcode", + "layout", + "webrtc", + "logic", + "login", + "worker", + "toolkit", + "mocha", + "support", + "back", + "inside", + "device", + "jenkin", + "contact", + "fake", + "awesome", + "ocaml", + "bit_", + "bit-", + "bit.", + "drive", + "screen", + "prototype", + "gist", + "binary", + "nosql", + "rest", + "overview", + "dart", + "dark", + "emac", + "mongoid", + "solarized", + "homepage", + "emulator", + "commander", + "django", + "yandex", + "gradle", + "xcode", + "writer", + "crm_", + "crm-", + "crm.", + "jade", + "startup", + "error", + "using", + "format", + "name", + "spring", + "parser", + "scratch", + "magic", + "try_", + "try-", + "try.", + "rack", + "directive", + "challenge", + "slim", + "counter", + "element", + "chosen", + "doc_", + "doc-", + "doc.", + "meta", + "should", + "button", + "packet", + "stream", + "hardware", + "android", + "infinite", + "password", + "software", + "ghost", + "xamarin", + "spec", + "chef", + "interview", + "hubot", + "mvc_", + "mvc-", + "mvc.", + "exercise", + "leaflet", + "launcher", + "air_", + "air-", + "air.", + "photo", + "board", + "boxen", + "way_", + "way-", + "way.", + "computing", + "welcome", + "notepad", + "portfolio", + "cat_", + "cat-", + "cat.", + "can_", + "can-", + "can.", + "magento", + "yaml", + "domain", + "card", + "yii_", + "yii-", + "yii.", + "checker", + "browser", + "upgrade", + "only", + "progres", + "aura", + "ruby_", + "ruby-", + "ruby.", + "polymer", + "util", + "lite", + "hackathon", + "rule", + "log_", + "log-", + "log.", + "opengl", + "stanford", + "skeleton", + "history", + "inspector", + "help", + "soon", + "selenium", + "lab_", + "lab-", + "lab.", + "scheme", + "schema", + "look", + "ready", + "leveldb", + "docker", + "game", + "minimal", + "logstash", + "messaging", + "within", + "heroku", + "mongodb", + "kata", + "suite", + "picker", + "win_", + "win-", + "win.", + "wip_", + "wip-", + "wip.", + "panel", + "started", + "starter", + "front-end", + "detector", + "deploy", + "editing", + "based", + "admin", + "capture", + "spree", + "page", + "bundle", + "goal", + "rpg_", + "rpg-", + "rpg.", + "setup", + "side", + "mean", + "reader", + "cookbook", + "mini", + "modern", + "seed", + "dom_", + "dom-", + "dom.", + "doc_", + "doc-", + "doc.", + "dot_", + "dot-", + "dot.", + "syntax", + "sugar", + "loader", + "website", + "make", + "kit_", + "kit-", + "kit.", + "protocol", + "human", + "daemon", + "golang", + "manager", + "countdown", + "connector", + "swagger", + "map_", + "map-", + "map.", + "mac_", + "mac-", + "mac.", + "man_", + "man-", + "man.", + "orm_", + "orm-", + "orm.", + "org_", + "org-", + "org.", + "little", + "zsh_", + "zsh-", + "zsh.", + "shop", + "show", + "workshop", + "money", + "grid", + "server", + "octopres", + "svn_", + "svn-", + "svn.", + "ember", + "embed", + "general", + "file", + "important", + "dropbox", + "portable", + "public", + "docpad", + "fish", + "sbt_", + "sbt-", + "sbt.", + "done", + "para", + "network", + "common", + "readme", + "popup", + "simple", + "purpose", + "mirror", + "single", + "cordova", + "exchange", + "object", + "design", + "gateway", + "account", + "lamp", + "intellij", + "math", + "mit_", + "mit-", + "mit.", + "control", + "enhanced", + "emitter", + "multi", + "add_", + "add-", + "add.", + "about", + "socket", + "preview", + "vagrant", + "cli_", + "cli-", + "cli.", + "powerful", + "top_", + "top-", + "top.", + "radio", + "watch", + "fluid", + "amazon", + "report", + "couchbase", + "automatic", + "detection", + "sprite", + "pyramid", + "portal", + "advanced", + "plu_", + "plu-", + "plu.", + "runtime", + "git_", + "git-", + "git.", + "uri_", + "uri-", + "uri.", + "haml", + "node", + "sql_", + "sql-", + "sql.", + "cool", + "core", + "obsolete", + "handler", + "iphone", + "extractor", + "array", + "copy", + "nlp_", + "nlp-", + "nlp.", + "reveal", + "pop_", + "pop-", + "pop.", + "engine", + "parse", + "check", + "html", + "nest", + "all_", + "all-", + "all.", + "chinese", + "buildpack", + "what", + "tag_", + "tag-", + "tag.", + "proxy", + "style", + "cookie", + "feed", + "restful", + "compiler", + "creating", + "prelude", + "context", + "java", + "rspec", + "mock", + "backbone", + "light", + "spotify", + "flex", + "related", + "shell", + "which", + "clas", + "webapp", + "swift", + "ansible", + "unity", + "console", + "tumblr", + "export", + "campfire", + "conway'", + "made", + "riak", + "hero", + "here", + "unix", + "unit", + "glas", + "smtp", + "how_", + "how-", + "how.", + "hot_", + "hot-", + "hot.", + "debug", + "release", + "diff", + "player", + "easy", + "right", + "old_", + "old-", + "old.", + "animate", + "time", + "push", + "explorer", + "course", + "training", + "nette", + "router", + "draft", + "structure", + "note", + "salt", + "where", + "spark", + "trello", + "power", + "method", + "social", + "via_", + "via-", + "via.", + "vim_", + "vim-", + "vim.", + "select", + "webkit", + "github", + "ftp_", + "ftp-", + "ftp.", + "creator", + "mongoose", + "led_", + "led-", + "led.", + "movie", + "currently", + "pdf_", + "pdf-", + "pdf.", + "load", + "markdown", + "phalcon", + "input", + "custom", + "atom", + "oracle", + "phonegap", + "ubuntu", + "great", + "rdf_", + "rdf-", + "rdf.", + "popcorn", + "firefox", + "zip_", + "zip-", + "zip.", + "cuda", + "dotfile", + "static", + "openwrt", + "viewer", + "powered", + "graphic", + "les_", + "les-", + "les.", + "doe_", + "doe-", + "doe.", + "maven", + "word", + "eclipse", + "lab_", + "lab-", + "lab.", + "hacking", + "steam", + "analytic", + "option", + "abstract", + "archive", + "reality", + "switcher", + "club", + "write", + "kafka", + "arduino", + "angular", + "online", + "title", + "don't", + "contao", + "notice", + "analyzer", + "learning", + "zend", + "external", + "staging", + "busines", + "tdd_", + "tdd-", + "tdd.", + "scanner", + "building", + "snippet", + "modular", + "bower", + "stm_", + "stm-", + "stm.", + "lib_", + "lib-", + "lib.", + "alpha", + "mobile", + "clean", + "linux", + "nginx", + "manifest", + "some", + "raspberry", + "gnome", + "ide_", + "ide-", + "ide.", + "block", + "statistic", + "info", + "drag", + "youtube", + "koan", + "facebook", + "paperclip", + "art_", + "art-", + "art.", + "quality", + "tab_", + "tab-", + "tab.", + "need", + "dojo", + "shield", + "computer", + "stat", + "state", + "twitter", + "utility", + "converter", + "hosting", + "devise", + "liferay", + "updated", + "force", + "tip_", + "tip-", + "tip.", + "behavior", + "active", + "call", + "answer", + "deck", + "better", + "principle", + "ches", + "bar_", + "bar-", + "bar.", + "reddit", + "three", + "haxe", + "just", + "plug-in", + "agile", + "manual", + "tetri", + "super", + "beta", + "parsing", + "doctrine", + "minecraft", + "useful", + "perl", + "sharing", + "agent", + "switch", + "view", + "dash", + "channel", + "repo", + "pebble", + "profiler", + "warning", + "cluster", + "running", + "markup", + "evented", + "mod_", + "mod-", + "mod.", + "share", + "csv_", + "csv-", + "csv.", + "response", + "good", + "house", + "connect", + "built", + "build", + "find", + "ipython", + "webgl", + "big_", + "big-", + "big.", + "google", + "scala", + "sdl_", + "sdl-", + "sdl.", + "sdk_", + "sdk-", + "sdk.", + "native", + "day_", + "day-", + "day.", + "puppet", + "text", + "routing", + "helper", + "linkedin", + "crawler", + "host", + "guard", + "merchant", + "poker", + "over", + "writing", + "free", + "classe", + "component", + "craft", + "nodej", + "phoenix", + "longer", + "quick", + "lazy", + "memory", + "clone", + "hacker", + "middleman", + "factory", + "motion", + "multiple", + "tornado", + "hack", + "ssh_", + "ssh-", + "ssh.", + "review", + "vimrc", + "driver", + "driven", + "blog", + "particle", + "table", + "intro", + "importer", + "thrift", + "xmpp", + "framework", + "refresh", + "react", + "font", + "librarie", + "variou", + "formatter", + "analysi", + "karma", + "scroll", + "tut_", + "tut-", + "tut.", + "apple", + "tag_", + "tag-", + "tag.", + "tab_", + "tab-", + "tab.", + "category", + "ionic", + "cache", + "homebrew", + "reverse", + "english", + "getting", + "shipping", + "clojure", + "boot", + "book", + "branch", + "combination", + "combo", +] +[[rules]] +description = "GitHub App Token" +id = "github-app-token" +regex = '''(ghu|ghs)_[0-9a-zA-Z]{36}''' +keywords = [ + "ghu_","ghs_", +] + +[[rules]] +description = "GitHub Fine-Grained Personal Access Token" +id = "github-fine-grained-pat" +regex = '''github_pat_[0-9a-zA-Z_]{82}''' +keywords = [ + "github_pat_", +] + +[[rules]] +description = "GitHub OAuth Access Token" +id = "github-oauth" +regex = '''gho_[0-9a-zA-Z]{36}''' +keywords = [ + "gho_", +] + +[[rules]] +description = "GitHub Personal Access Token" +id = "github-pat" +regex = '''ghp_[0-9a-zA-Z]{36}''' +keywords = [ + "ghp_", +] + +[[rules]] +description = "GitHub Refresh Token" +id = "github-refresh-token" +regex = '''ghr_[0-9a-zA-Z]{36}''' +keywords = [ + "ghr_", +] + +[[rules]] +description = "GitLab Personal Access Token" +id = "gitlab-pat" +regex = '''glpat-[0-9a-zA-Z\-\_]{20}''' +keywords = [ + "glpat-", +] + +[[rules]] +description = "Gitter Access Token" +id = "gitter-access-token" +regex = '''(?i)(?:gitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "gitter", +] + +[[rules]] +description = "GoCardless API token" +id = "gocardless-api-token" +regex = '''(?i)(?:gocardless)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(live_(?i)[a-z0-9\-_=]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "live_","gocardless", +] + +[[rules]] +description = "Grafana api key (or Grafana cloud api key)" +id = "grafana-api-key" +regex = '''(?i)\b(eyJrIjoi[A-Za-z0-9]{70,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "eyjrijoi", +] + +[[rules]] +description = "Grafana cloud api token" +id = "grafana-cloud-api-token" +regex = '''(?i)\b(glc_[A-Za-z0-9+/]{32,400}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "glc_", +] + +[[rules]] +description = "Grafana service account token" +id = "grafana-service-account-token" +regex = '''(?i)\b(glsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "glsa_", +] + +[[rules]] +description = "HashiCorp Terraform user/org API token" +id = "hashicorp-tf-api-token" +regex = '''(?i)[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}''' +keywords = [ + "atlasv1", +] + +[[rules]] +description = "Heroku API Key" +id = "heroku-api-key" +regex = '''(?i)(?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "heroku", +] + +[[rules]] +description = "HubSpot API Token" +id = "hubspot-api-key" +regex = '''(?i)(?:hubspot)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "hubspot", +] + +[[rules]] +description = "Intercom API Token" +id = "intercom-api-key" +regex = '''(?i)(?:intercom)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{60})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "intercom", +] + +[[rules]] +description = "JSON Web Token" +id = "jwt" +regex = '''(?i)\b(ey[0-9a-z]{30,34}\.ey[0-9a-z-\/_]{30,500}\.[0-9a-zA-Z-\/_]{10,200}={0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "ey", +] + +[[rules]] +description = "Kraken Access Token" +id = "kraken-access-token" +regex = '''(?i)(?:kraken)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9\/=_\+\-]{80,90})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "kraken", +] + +[[rules]] +description = "Kucoin Access Token" +id = "kucoin-access-token" +regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "kucoin", +] + +[[rules]] +description = "Kucoin Secret Key" +id = "kucoin-secret-key" +regex = '''(?i)(?:kucoin)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "kucoin", +] + +[[rules]] +description = "Launchdarkly Access Token" +id = "launchdarkly-access-token" +regex = '''(?i)(?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "launchdarkly", +] + +[[rules]] +description = "Linear API Token" +id = "linear-api-key" +regex = '''lin_api_(?i)[a-z0-9]{40}''' +keywords = [ + "lin_api_", +] + +[[rules]] +description = "Linear Client Secret" +id = "linear-client-secret" +regex = '''(?i)(?:linear)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "linear", +] + +[[rules]] +description = "LinkedIn Client ID" +id = "linkedin-client-id" +regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "linkedin","linked-in", +] + +[[rules]] +description = "LinkedIn Client secret" +id = "linkedin-client-secret" +regex = '''(?i)(?:linkedin|linked-in)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "linkedin","linked-in", +] + +[[rules]] +description = "Lob API Key" +id = "lob-api-key" +regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}((live|test)_[a-f0-9]{35})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "test_","live_", +] + +[[rules]] +description = "Lob Publishable API Key" +id = "lob-pub-api-key" +regex = '''(?i)(?:lob)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}((test|live)_pub_[a-f0-9]{31})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "test_pub","live_pub","_pub", +] + +[[rules]] +description = "Mailchimp API key" +id = "mailchimp-api-key" +regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mailchimp", +] + +[[rules]] +description = "Mailgun private API token" +id = "mailgun-private-api-token" +regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(key-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mailgun", +] + +[[rules]] +description = "Mailgun public validation key" +id = "mailgun-pub-key" +regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(pubkey-[a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mailgun", +] + +[[rules]] +description = "Mailgun webhook signing key" +id = "mailgun-signing-key" +regex = '''(?i)(?:mailgun)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-h0-9]{32}-[a-h0-9]{8}-[a-h0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mailgun", +] + +[[rules]] +description = "MapBox API token" +id = "mapbox-api-token" +regex = '''(?i)(?:mapbox)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(pk\.[a-z0-9]{60}\.[a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mapbox", +] + +[[rules]] +description = "Mattermost Access Token" +id = "mattermost-access-token" +regex = '''(?i)(?:mattermost)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{26})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mattermost", +] + +[[rules]] +description = "MessageBird API token" +id = "messagebird-api-token" +regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "messagebird","message-bird","message_bird", +] + +[[rules]] +description = "MessageBird client ID" +id = "messagebird-client-id" +regex = '''(?i)(?:messagebird|message-bird|message_bird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "messagebird","message-bird","message_bird", +] + +[[rules]] +description = "Microsoft Teams Webhook" +id = "microsoft-teams-webhook" +regex = '''https:\/\/[a-z0-9]+\.webhook\.office\.com\/webhookb2\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}@[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}\/IncomingWebhook\/[a-z0-9]{32}\/[a-z0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}''' +keywords = [ + "webhook.office.com","webhookb2","incomingwebhook", +] + +[[rules]] +description = "Netlify Access Token" +id = "netlify-access-token" +regex = '''(?i)(?:netlify)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40,46})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "netlify", +] + +[[rules]] +description = "New Relic ingest browser API token" +id = "new-relic-browser-api-token" +regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "nrjs-", +] + +[[rules]] +description = "New Relic user API ID" +id = "new-relic-user-api-id" +regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "new-relic","newrelic","new_relic", +] + +[[rules]] +description = "New Relic user API Key" +id = "new-relic-user-api-key" +regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "nrak", +] + +[[rules]] +description = "npm access token" +id = "npm-access-token" +regex = '''(?i)\b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "npm_", +] + +[[rules]] +description = "Nytimes Access Token" +id = "nytimes-access-token" +regex = '''(?i)(?:nytimes|new-york-times,|newyorktimes)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "nytimes","new-york-times","newyorktimes", +] + +[[rules]] +description = "Okta Access Token" +id = "okta-access-token" +regex = '''(?i)(?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "okta", +] + +[[rules]] +description = "Plaid API Token" +id = "plaid-api-token" +regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(access-(?:sandbox|development|production)-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "plaid", +] + +[[rules]] +description = "Plaid Client ID" +id = "plaid-client-id" +regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{24})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "plaid", +] + +[[rules]] +description = "Plaid Secret key" +id = "plaid-secret-key" +regex = '''(?i)(?:plaid)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "plaid", +] + +[[rules]] +description = "PlanetScale API token" +id = "planetscale-api-token" +regex = '''(?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pscale_tkn_", +] + +[[rules]] +description = "PlanetScale OAuth token" +id = "planetscale-oauth-token" +regex = '''(?i)\b(pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pscale_oauth_", +] + +[[rules]] +description = "PlanetScale password" +id = "planetscale-password" +regex = '''(?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pscale_pw_", +] + +[[rules]] +description = "Postman API token" +id = "postman-api-token" +regex = '''(?i)\b(PMAK-(?i)[a-f0-9]{24}\-[a-f0-9]{34})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pmak-", +] + +[[rules]] +description = "Prefect API token" +id = "prefect-api-token" +regex = '''(?i)\b(pnu_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pnu_", +] + +[[rules]] +description = "Private Key" +id = "private-key" +regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY----''' +keywords = [ + "-----begin", +] + +[[rules]] +description = "Pulumi API token" +id = "pulumi-api-token" +regex = '''(?i)\b(pul-[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "pul-", +] + +[[rules]] +description = "PyPI upload token" +id = "pypi-upload-token" +regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}''' +keywords = [ + "pypi-ageichlwas5vcmc", +] + +[[rules]] +description = "RapidAPI Access Token" +id = "rapidapi-access-token" +regex = '''(?i)(?:rapidapi)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{50})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "rapidapi", +] + +[[rules]] +description = "Readme API token" +id = "readme-api-token" +regex = '''(?i)\b(rdme_[a-z0-9]{70})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "rdme_", +] + +[[rules]] +description = "Rubygem API token" +id = "rubygems-api-token" +regex = '''(?i)\b(rubygems_[a-f0-9]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "rubygems_", +] + +[[rules]] +description = "Sendbird Access ID" +id = "sendbird-access-id" +regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sendbird", +] + +[[rules]] +description = "Sendbird Access Token" +id = "sendbird-access-token" +regex = '''(?i)(?:sendbird)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sendbird", +] + +[[rules]] +description = "SendGrid API token" +id = "sendgrid-api-token" +regex = '''(?i)\b(SG\.(?i)[a-z0-9=_\-\.]{66})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sg.", +] + +[[rules]] +description = "Sendinblue API token" +id = "sendinblue-api-token" +regex = '''(?i)\b(xkeysib-[a-f0-9]{64}\-(?i)[a-z0-9]{16})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "xkeysib-", +] + +[[rules]] +description = "Sentry Access Token" +id = "sentry-access-token" +regex = '''(?i)(?:sentry)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sentry", +] + +[[rules]] +description = "Shippo API token" +id = "shippo-api-token" +regex = '''(?i)\b(shippo_(live|test)_[a-f0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "shippo_", +] + +[[rules]] +description = "Shopify access token" +id = "shopify-access-token" +regex = '''shpat_[a-fA-F0-9]{32}''' +keywords = [ + "shpat_", +] + +[[rules]] +description = "Shopify custom access token" +id = "shopify-custom-access-token" +regex = '''shpca_[a-fA-F0-9]{32}''' +keywords = [ + "shpca_", +] + +[[rules]] +description = "Shopify private app access token" +id = "shopify-private-app-access-token" +regex = '''shppa_[a-fA-F0-9]{32}''' +keywords = [ + "shppa_", +] + +[[rules]] +description = "Shopify shared secret" +id = "shopify-shared-secret" +regex = '''shpss_[a-fA-F0-9]{32}''' +keywords = [ + "shpss_", +] + +[[rules]] +description = "Sidekiq Secret" +id = "sidekiq-secret" +regex = '''(?i)(?:BUNDLE_ENTERPRISE__CONTRIBSYS__COM|BUNDLE_GEMS__CONTRIBSYS__COM)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{8}:[a-f0-9]{8})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "bundle_enterprise__contribsys__com","bundle_gems__contribsys__com", +] + +[[rules]] +description = "Sidekiq Sensitive URL" +id = "sidekiq-sensitive-url" +regex = '''(?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)''' +secretGroup = 2 +keywords = [ + "gems.contribsys.com","enterprise.contribsys.com", +] + +[[rules]] +description = "Slack token" +id = "slack-access-token" +regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})''' +keywords = [ + "xoxb","xoxa","xoxp","xoxr","xoxs", +] + +[[rules]] +description = "Slack Webhook" +id = "slack-web-hook" +regex = '''https:\/\/hooks.slack.com\/(services|workflows)\/[A-Za-z0-9+\/]{44,46}''' +keywords = [ + "hooks.slack.com", +] + +[[rules]] +description = "Square Access Token" +id = "square-access-token" +regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "sq0atp-", +] + +[[rules]] +description = "Squarespace Access Token" +id = "squarespace-access-token" +regex = '''(?i)(?:squarespace)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "squarespace", +] + +[[rules]] +description = "Stripe" +id = "stripe-access-token" +regex = '''(?i)(sk|pk)_(test|live)_[0-9a-z]{10,32}''' +keywords = [ + "sk_test","pk_test","sk_live","pk_live", +] + +[[rules]] +description = "SumoLogic Access ID" +id = "sumologic-access-id" +regex = '''(?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sumo", +] + +[[rules]] +description = "SumoLogic Access Token" +id = "sumologic-access-token" +regex = '''(?i)(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "sumo", +] + +[[rules]] +description = "Telegram Bot API Token" +id = "telegram-bot-api-token" +regex = '''(?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\-]{34})(?:$|[^a-zA-Z0-9_\-])''' +secretGroup = 1 +keywords = [ + "telegram","api","bot","token","url", +] + +[[rules]] +description = "Travis CI Access Token" +id = "travisci-access-token" +regex = '''(?i)(?:travis)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "travis", +] + +[[rules]] +description = "Twilio API Key" +id = "twilio-api-key" +regex = '''SK[0-9a-fA-F]{32}''' +keywords = [ + "twilio", +] + +[[rules]] +description = "Twitch API token" +id = "twitch-api-token" +regex = '''(?i)(?:twitch)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{30})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitch", +] + +[[rules]] +description = "Twitter Access Secret" +id = "twitter-access-secret" +regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{45})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitter", +] + +[[rules]] +description = "Twitter Access Token" +id = "twitter-access-token" +regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9]{15,25}-[a-zA-Z0-9]{20,40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitter", +] + +[[rules]] +description = "Twitter API Key" +id = "twitter-api-key" +regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{25})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitter", +] + +[[rules]] +description = "Twitter API Secret" +id = "twitter-api-secret" +regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{50})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitter", +] + +[[rules]] +description = "Twitter Bearer Token" +id = "twitter-bearer-token" +regex = '''(?i)(?:twitter)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(A{22}[a-zA-Z0-9%]{80,100})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "twitter", +] + +[[rules]] +description = "Typeform API token" +id = "typeform-api-token" +regex = '''(?i)(?:typeform)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(tfp_[a-z0-9\-_\.=]{59})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "tfp_", +] + +[[rules]] +description = "Vault Batch Token" +id = "vault-batch-token" +regex = '''(?i)\b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "hvb", +] + +[[rules]] +description = "Vault Service Token" +id = "vault-service-token" +regex = '''(?i)\b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "hvs", +] + +[[rules]] +description = "Yandex Access Token" +id = "yandex-access-token" +regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "yandex", +] + +[[rules]] +description = "Yandex API Key" +id = "yandex-api-key" +regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(AQVN[A-Za-z0-9_\-]{35,38})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "yandex", +] + +[[rules]] +description = "Yandex AWS Access Token" +id = "yandex-aws-access-token" +regex = '''(?i)(?:yandex)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(YC[a-zA-Z0-9_\-]{38})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "yandex", +] + +[[rules]] +description = "Zendesk Secret Key" +id = "zendesk-secret-key" +regex = '''(?i)(?:zendesk)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "zendesk", +] \ No newline at end of file diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..1d9b0d39 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,63 @@ +run: + tests: true + timeout: 5m + concurrency: 4 + go: '1.22' + +issues: + exclude-dirs: + - x/evm/core + +linters: + enable: + - dogsled + - dupl + - errcheck + - goconst + - gocritic + - gofumpt + - revive + - gosec + - gosimple + - govet + - ineffassign + # - lll TODO: enable + - misspell + - nakedret + - prealloc + - exportloopref + - staticcheck + - stylecheck + - typecheck + - unconvert + - unparam + - unused + - nolintlint + - asciicheck + - exportloopref + - gofumpt + - gomodguard + +linters-settings: + dogsled: + max-blank-identifiers: 3 + golint: + min-confidence: 0 + maligned: + suggest-new: true + misspell: + locale: US + nolintlint: + allow-unused: false + allow-leading-space: true + require-explanation: false + require-specific: false + gomodguard: + blocked: + versions: # List of blocked module version constraints + - https://github.com/etcd-io/etcd: # Blocked module with version constraint + version: ">= 3.4.10 || ~3.3.23" # Version constraint, see https://github.com/Masterminds/semver#basic-comparisons + reason: "CVE-2020-15114; CVE-2020-15136; CVE-2020-15115" # Reason why the version constraint exists. (Optional) + - https://github.com/dgrijalva/jwt-go: # Blocked module with version constraint + version: ">= 4.0.0-preview1" # Version constraint, see https://github.com/Masterminds/semver#basic-comparisons + reason: "CVE-2020-26160" # Reason why the version constraint exists. (Optional) diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 00000000..eef72035 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,24 @@ +"default": true +"MD001": false +"MD004": false +"MD007": + "indent": 4 +"MD024": + "siblings_only": true +"MD025": false +"MD026": + "punctuation": ".;:" +"MD029": false +"MD033": false +"MD034": false +"MD036": false +"MD040": false +"MD041": false +"MD051": false +"MD049": + "style": "asterisk" +"MD013": + "line_length": 120 + "code_blocks": false + "tables": false +"no-hard-tabs": false diff --git a/.mergify.yml b/.mergify.yml new file mode 100644 index 00000000..40847617 --- /dev/null +++ b/.mergify.yml @@ -0,0 +1,50 @@ +queue_rules: + - name: default + conditions: + - "#approved-reviews-by>1" + +pull_request_rules: + - name: automerge to main with label "automerge" and branch protection passing + conditions: + - "#approved-reviews-by>1" + - base=main + - label=automerge + actions: + queue: + name: default + method: squash + commit_message_template: | + {{ title }} (#{{ number }}) + {{ body }} + - name: backport patches to v6.0.x branch + conditions: + - base=main + - label=backport/6.0.x + actions: + backport: + branches: + - release/v6.0.x + - name: backport patches to v5.0.x branch + conditions: + - base=main + - label=backport/5.0.x + actions: + backport: + branches: + - release/v5.0.x + - name: backport patches to v4.0.x branch + conditions: + - base=main + - label=backport/4.0.x + actions: + backport: + branches: + - release/v4.0.x + - name: backport patches to v3.0.x branch + conditions: + - base=main + - label=backport/3.0.x + actions: + backport: + branches: + - release/v3.0.x diff --git a/.protolint.yml b/.protolint.yml new file mode 100644 index 00000000..bb2b7288 --- /dev/null +++ b/.protolint.yml @@ -0,0 +1,174 @@ +--- +# Lint directives. +lint: + # # Linter files to ignore. + # ignores: + # - id: MESSAGE_NAMES_UPPER_CAMEL_CASE + # files: + # # NOTE: UNIX paths will be properly accepted by both UNIX and Windows. + # - _example/proto/simple.proto + # - id: ENUM_NAMES_UPPER_CAMEL_CASE + # files: + # - path/to/foo.proto + + # # Linter files to walk. + # files: + # # The specific files to exclude. + # exclude: + # # NOTE: UNIX paths will be properly accepted by both UNIX and Windows. + # - path/to/file + + # # Linter directories to walk. + # directories: + # # The specific directories to exclude. + # exclude: + # # NOTE: UNIX paths will be properly accepted by both UNIX and Windows. + # - path/to/dir + + # Linter rules. + # Run `protolint list` to see all available rules. + rules: + # Determines whether or not to include the default set of linters. + no_default: true + + # Set the default to all linters. This option works the other way around as no_default does. + # If you want to enable this option, delete the comment out below and no_default. + # all_default: true + + # The specific linters to add. + add: + - FIELD_NAMES_LOWER_SNAKE_CASE + - MESSAGE_NAMES_UPPER_CAMEL_CASE + - MAX_LINE_LENGTH + - INDENT + # - SERVICE_NAMES_END_WITH + - FIELD_NAMES_EXCLUDE_PREPOSITIONS + - MESSAGE_NAMES_EXCLUDE_PREPOSITIONS + - FILE_NAMES_LOWER_SNAKE_CASE + - IMPORTS_SORTED + - PACKAGE_NAME_LOWER_CASE + - ORDER + - MESSAGES_HAVE_COMMENT + - SERVICES_HAVE_COMMENT + - RPCS_HAVE_COMMENT + - FIELDS_HAVE_COMMENT + - PROTO3_FIELDS_AVOID_REQUIRED + - PROTO3_GROUPS_AVOID + # - REPEATED_FIELD_NAMES_PLURALIZED + - ENUMS_HAVE_COMMENT + - ENUM_FIELDS_HAVE_COMMENT + - SYNTAX_CONSISTENT + - RPC_NAMES_UPPER_CAMEL_CASE + # - FILE_HAS_COMMENT + - QUOTE_CONSISTENT + + # # The specific linters to remove. + # remove: + # - RPC_NAMES_UPPER_CAMEL_CASE + + # Linter rules option. + rules_option: + # MAX_LINE_LENGTH rule option. + max_line_length: + # Enforces a maximum line length + max_chars: 120 + # Specifies the character count for tab characters + tab_chars: 2 + + # INDENT rule option. + indent: + # Available styles are 4(4-spaces), 2(2-spaces) or tab. + style: 2 + # Specifies if it should stop considering and inserting new lines at the appropriate positions + # when the inner elements are on the same line. Default is false. + not_insert_newline: true + + # # FILE_NAMES_LOWER_SNAKE_CASE rule option. + # file_names_lower_snake_case: + # excludes: + # - ../proto/invalidFileName.proto + + # QUOTE_CONSISTENT rule option. + quote_consistent: + # Available quote are "double" or "single". + quote: double + + # ENUM_FIELD_NAMES_ZERO_VALUE_END_WITH rule option. + enum_field_names_zero_value_end_with: + suffix: INVALID + + # # SERVICE_NAMES_END_WITH rule option. + # service_names_end_with: + # text: Service + + # FIELD_NAMES_EXCLUDE_PREPOSITIONS rule option. + field_names_exclude_prepositions: + # The specific prepositions to determine if the field name includes. + prepositions: + - for + - at + - of + # The specific keywords including prepositions to ignore. E.g. end_of_support is a term you would like to use, and skip checking. + excludes: + - duration_of_decay + + # # REPEATED_FIELD_NAMES_PLURALIZED rule option. + # ## The spec for each rules follows the implementation of https://github.com/gertd/go-pluralize. + # ## Plus, you can refer to this rule's test code. + # repeated_field_names_pluralized: + # uncountable_rules: + # - paper + # irregular_rules: + # Irregular: Regular + + # MESSAGE_NAMES_EXCLUDE_PREPOSITIONS rule option. + message_names_exclude_prepositions: + # The specific prepositions to determine if the message name includes. + prepositions: + - With + - For + - Of + # # The specific keywords including prepositions to ignore. E.g. EndOfSupport is a term you would like to use, and skip checking. + # excludes: + # - EndOfSupport + + # # RPC_NAMES_CASE rule option. + # rpc_names_case: + # # The specific convention the name should conforms to. + # ## Available conventions are "lower_camel_case", "upper_snake_case", or "lower_snake_case". + # convention: upper_snake_case + + # MESSAGES_HAVE_COMMENT rule option. + messages_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # SERVICES_HAVE_COMMENT rule option. + services_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # RPCS_HAVE_COMMENT rule option. + rpcs_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # FIELDS_HAVE_COMMENT rule option. + fields_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # ENUMS_HAVE_COMMENT rule option. + enums_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # ENUM_FIELDS_HAVE_COMMENT rule option. + enum_fields_have_comment: + # Comments need to begin with the name of the thing being described. default is false. + should_follow_golang_style: true + + # # SYNTAX_CONSISTENT rule option. + # syntax_consistent: + # # Default is proto3. + # version: proto2 diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 00000000..4ff377fa --- /dev/null +++ b/.pylintrc @@ -0,0 +1,38 @@ +[MESSAGES CONTROL] + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once). You can also use "--disable=all" to +# disable everything first and then re-enable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use "--disable=all --enable=classes +# --disable=W". +disable=raw-checker-failed, + bad-inline-option, + locally-disabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + use-symbolic-message-instead, + use-implicit-booleaness-not-comparison-to-string, + use-implicit-booleaness-not-comparison-to-zero, + missing-class-docstring, + missing-module-docstring, + missing-function-docstring, + too-few-public-methods, + too-many-public-methods, + too-many-arguments, + too-many-lines, + too-many-locals, + too-many-branches, + too-many-statements, + duplicate-code, + unspecified-encoding, + redefined-outer-name, + use-implicit-booleaness-not-comparison, + import-error, + use-dict-literal, + fixme diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 00000000..6f188660 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,33 @@ +# Ignore git items +.gitignore +.git/ +:include .gitignore + +# Common large paths +node_modules/ +build/ +dist/ +vendor/ +.env/ +.venv/ +.tox/ +*.min.js + +# Ignore proto +*.proto + +# Common test paths +test/ +tests/ +*_test.go +*.pb.gw.go +*.pb.go + +# Semgrep rules folder +.semgrep + +# Semgrep-action log folder +.semgrep_logs/ + +# GETH code +x/evm/core/ diff --git a/.solhint.json b/.solhint.json new file mode 100644 index 00000000..d7c3de98 --- /dev/null +++ b/.solhint.json @@ -0,0 +1,3 @@ +{ + "extends": "solhint:default" +} diff --git a/.yamllint b/.yamllint new file mode 100644 index 00000000..e53fd3d1 --- /dev/null +++ b/.yamllint @@ -0,0 +1,31 @@ +--- + +yaml-files: + - '*.yaml' + - '*.yml' + - '.yamllint' + +rules: + braces: enable + brackets: enable + colons: enable + commas: enable + comments: + level: warning + comments-indentation: disable + document-end: disable + document-start: disable + empty-lines: disable + empty-values: disable + float-values: disable + hyphens: enable + indentation: enable + key-duplicates: enable + key-ordering: disable + line-length: disable + new-line-at-end-of-file: enable + new-lines: enable + octal-values: disable + quoted-strings: disable + trailing-spaces: disable + truthy: disable \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..3f83a336 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,11 @@ + +# Changelog + +## Unreleased + +### Improvements + +- (ci) [#12](https://github.com/evmos/os/pull/12) Add CI workflows, configurations, Makefile, License, etc. diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..e589e0e0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,73 @@ +Evmos Non-Commercial License + +Version 1.0 dated April 21th, 2023 + +This license contains the terms and conditions under which Tharsis Labs Ltd. +(“Company”) makes available its Software. Your use of the Software is subject to +these terms and conditions. + +Company grants you (“Licensee”) a license to use, modify, and redistribute the +Software, but only (a) for Non-Commercial Use, or (b) for Commercial Use only on +the Designated Blockchains. + +If Licensee makes available a copy of the Software to any third party, the +Software must be subject to the terms of this license only, and Licensee must +provide a copy of this license to that third party. All restrictions and +conditions of this license apply to the Software or any portion or modification +of the Software made under this license. + +Licensee must ensure that any third party who gets a copy of any part of the +Software from Licensee also gets a copy of the terms of this license or the +respective license URL, as well as copies of any plain-text lines beginning +with Required Notice that the licensor provided with the software. +For example: "Required Notice: Copyright Tharsis Labs Ltd. (https://github.com/evmos/evmos)". + +These terms do not allow Licensee to sublicense or transfer any of Licensee’s +rights to anyone else. These terms do not imply any other licenses not expressly +granted in this license. + +If Licensee violates any of these terms or uses the Software in a way not +authorized under this license, the license granted to Licensee ends immediately. +If Licensee makes, or authorizes any other person to make, any written claim +that the Software, or any other Evmos Product (see below), infringes or +contributes to the infringement of any patent, all rights granted to Licensee +under this license end immediately. + +As far as the law allows, the Software is provided AS IS, without any warranty +or condition, and Company will not be liable to Licensee for any damages arising +out of these terms or the use or nature of the Software, under any kind of legal +claim. + +Terms in this license are used as follows: + +“Software” means the blockchain software developed by the Company, which is the +implementation of the Evmos blockchains available at +“https://github.com/evmos/evmos” and the Evmos applications at +“https://github.com/evmos/backend” and “https://github.com/evmos/apps” as may be +updated from time to time. + +"Designated Blockchains" refer to the version of the digital blockchain ledger +that, at any given time, is recognized as canonical in accordance with the +blockchain consensus. The initial Designated Blockchains shall be the Evmos +blockchains, identified by the Ethereum Improvement Proposal 155 (EIP-155) +chain identifiers 9000 (testing network or "testnet") and 9001 (main network +or mainnet). + +A “Evmos Product” is any product or service offered by the Company or its +affiliates. + +“Non-Commercial Use” means academic, scientific, or research and development +use, or evaluating the Software (such as. through auditing), but does not +include the creation of a publicly available blockchain, precompiled smart +contracts, or other distributed-ledger technology systems that facilitate any +transaction of economic value. + +"Commercial Use” is any use that is not a Non-Commercial Use. + +To “use” means any use, modification, distribution or other exploitation of the +Software or any part of it. + +----------------------------------------------------------------------------- + +For more information, please refer to the official ENCL-1.0 FAQ +(https://github.com/evmos/evmos/blob/main/LICENSE_FAQ.md). diff --git a/LICENSE_FAQ.md b/LICENSE_FAQ.md new file mode 100644 index 00000000..5114cabc --- /dev/null +++ b/LICENSE_FAQ.md @@ -0,0 +1,183 @@ +# License FAQ + +Evmos Non-Commercial License 1.0 (ENCL-1.0) was created by Tharsis Labs Ltd. +(Evmos) to provide a mutually beneficial balance between the user benefits of +our open software that is free of charge and provides open access to all of the +product code for modification, distribution, auditability, etc., and the +sustainability needs of our software developers to continue delivering product +innovation and maintenance. + +The ENCL is structured to allow free of charge usage +in all non-commercial cases and limited commercial use cases. + +ENCL gives users complete access to the source code so users can modify, +distribute and enhance it, within the permitted purposes. + +This FAQ is designed to address questions for developers and companies +interested in working on ENCL Software or adopting ENCL Software for commercial +use. + +**Q: What is Evmos Non-Commercial License 1.0 (ENCL-1.0)?** + +**A:** ENCL is an alternative to closed-source or fully open source licensing +models. Our licensing model includes both open source elements, under LGPL3 and +source-available elements, under ENCL-1.0. Under ENCL-1.0, the source code is +always publicly available. You have the right to “use, modify, and redistribute +the software” for any non-commercial purpose, or for specific commercial +purposes. + +By implication, there is only one primary limitation. You MAY NOT make +commercial use of the software, with exceptions that the commercial use is on +Designated Blockchains or you have obtained a prior commercial permit. + +The right of “use” here includes forking and using ENCL code as +a code dependency as use of the dependency doesn’t violate the ENCL-1.0. + +Here is the specific language of the license: + +“Commercial Use” is any use that is not a Non-Commercial Use. + +“Non-Commercial Use” means academic, scientific, or research and development +use, or evaluating the Software (such as. through auditing), but does not +include the creation of a publicly available blockchain, precompiled smart +contracts, or other distributed-ledger technology systems that facilitate any +transaction of economic value. + +"Designated Blockchains" refers to the version of the digital blockchain ledger +that, at any given time, is recognized as canonical in accordance with the +blockchain consensus. The initial Designated Blockchains shall be the Evmos +blockchains, identified by chain identifiers 9000 (testing network or testnet) +and 9001 (main network or mainnet). + +Evmos is currently building evmOS, the commercial name of the software associated with the Evmos repository, +to help developers to create their own EVM-compatible blockchain network with custom parameters. +You may use evmOS for your commercial project, subject to the applicable evmOS license. +For more information about evmOS, check out the Evmos Manifesto. + +**Q: What is the purpose of ENCL-1.0?** + +**A:** To create a license that strikes a balance between being able to maintain +sustainable software development while still supporting the original tenets of +open source, such as empowering all non-Evmos software developers to be part of +the innovation cycle – giving them open access to the code so they can audit, +modify or distribute the software by making the entire source code available +from the start. Note that ENCL 1.0 has not been approved by the OSI, and we do +not refer to it as an Open Source license. + +**Q:How do I apply for a commercial use permit or obtain different licensing terms or inquire about terms of this license?** + +**A:** You may contact the legal department of licensor: os@evmos.org. They +may be able to partner with you to answer your questions and figure out what +will work best for you and your needs. You only need this kind of permit if you +cannot meet the limitations of ENCL-1.0. + +**Q: What if I am currently using Evmos code commercially in my business/project?** + +**A:**You are allowed to continue using the code from older versions (&2 + go mod verify + go mod tidy + +vulncheck: $(BUILDDIR)/ + GOBIN=$(BUILDDIR) go install golang.org/x/vuln/cmd/govulncheck@latest + $(BUILDDIR)/govulncheck ./... + +############################################################################### +### Tests & Simulation ### +############################################################################### + +test: test-unit +test-all: test-unit test-race + +# For unit tests we don't want to execute the upgrade tests in tests/e2e but +# we want to include all unit tests in the subfolders (tests/e2e/*) +PACKAGES_UNIT=$(shell go list ./... | grep -v '/tests/e2e$$') +TEST_PACKAGES=./... +TEST_TARGETS := test-unit test-unit-cover test-race + +# Test runs-specific rules. To add a new test target, just add +# a new rule, customise ARGS or TEST_PACKAGES ad libitum, and +# append the new rule to the TEST_TARGETS list. +test-unit: ARGS=-timeout=15m +test-unit: TEST_PACKAGES=$(PACKAGES_UNIT) + +test-race: ARGS=-race +test-race: TEST_PACKAGES=$(PACKAGES_NOSIMULATION) +$(TEST_TARGETS): run-tests + +test-unit-cover: ARGS=-timeout=15m -coverprofile=coverage.txt -covermode=atomic +test-unit-cover: TEST_PACKAGES=$(PACKAGES_UNIT) + +run-tests: +ifneq (,$(shell which tparse 2>/dev/null)) + go test -mod=readonly -json $(ARGS) $(EXTRA_ARGS) $(TEST_PACKAGES) | tparse +else + go test -mod=readonly $(ARGS) $(EXTRA_ARGS) $(TEST_PACKAGES) +endif + +test-scripts: + @echo "Running scripts tests" + @pytest -s -vv ./scripts + +test-solidity: + @echo "Beginning solidity tests..." + ./scripts/run-solidity-tests.sh + +.PHONY: run-tests test test-all $(TEST_TARGETS) + +benchmark: + @go test -mod=readonly -bench=. $(PACKAGES_NOSIMULATION) + +.PHONY: benchmark + +############################################################################### +### Linting ### +############################################################################### + +lint: + golangci-lint run --out-format=tab + solhint contracts/**/*.sol + +lint-fix: + golangci-lint run --fix --out-format=tab --issues-exit-code=0 + +lint-fix-contracts: + @cd contracts && \ + npm i && \ + npm run lint-fix + solhint --fix contracts/**/*.sol + +.PHONY: lint lint-fix + +format: + find . -name '*.go' -type f -not -path "./vendor*" -not -path "*.git*" -not -name '*.pb.go' -not -name '*.pb.gw.go' | xargs gofumpt -w -l + +.PHONY: format + + +format-python: format-isort format-black + +format-black: + find . -name '*.py' -type f -not -path "*/node_modules/*" | xargs black + +format-isort: + find . -name '*.py' -type f -not -path "*/node_modules/*" | xargs isort + +############################################################################### +### Protobuf ### +############################################################################### + +protoVer=0.11.6 +protoImageName=ghcr.io/cosmos/proto-builder:$(protoVer) +protoImage=$(DOCKER) run --rm -v $(CURDIR):/workspace --workdir /workspace --user 0 $(protoImageName) + +protoLintVer=0.44.0 +protoLinterImage=yoheimuta/protolint +protoLinter=$(DOCKER) run --rm -v "$(CURDIR):/workspace" --workdir /workspace --user 0 $(protoLinterImage):$(protoLintVer) + +# ------ +# NOTE: If you are experiencing problems running these commands, try deleting +# the docker images and execute the desired command again. +# +proto-all: proto-format proto-lint proto-gen proto-swagger-gen + +proto-gen: + @echo "Generating Protobuf files" + $(protoImage) sh ./scripts/protocgen.sh + +proto-swagger-gen: + @echo "Downloading Protobuf dependencies" + @make proto-download-deps + @echo "Generating Protobuf Swagger" + $(protoImage) sh ./scripts/protoc-swagger-gen.sh + +proto-format: + @echo "Formatting Protobuf files" + $(protoImage) find ./ -name *.proto -exec clang-format -i {} \; + +proto-lint: + @echo "Linting Protobuf files" + @$(protoImage) buf lint --error-format=json + @$(protoLinter) lint ./proto + +proto-check-breaking: + @echo "Checking Protobuf files for breaking changes" + $(protoImage) buf breaking --against $(HTTPS_GIT)#branch=main + +SWAGGER_DIR=./swagger-proto +THIRD_PARTY_DIR=$(SWAGGER_DIR)/third_party + +proto-download-deps: + mkdir -p "$(THIRD_PARTY_DIR)/cosmos_tmp" && \ + cd "$(THIRD_PARTY_DIR)/cosmos_tmp" && \ + git init && \ + git remote add origin "https://github.com/evmos/cosmos-sdk.git" && \ + git config core.sparseCheckout true && \ + printf "proto\nthird_party\n" > .git/info/sparse-checkout && \ + git pull origin "$(DEPS_COSMOS_SDK_VERSION)" && \ + rm -f ./proto/buf.* && \ + mv ./proto/* .. + rm -rf "$(THIRD_PARTY_DIR)/cosmos_tmp" + + mkdir -p "$(THIRD_PARTY_DIR)/ibc_tmp" && \ + cd "$(THIRD_PARTY_DIR)/ibc_tmp" && \ + git init && \ + git remote add origin "https://github.com/cosmos/ibc-go.git" && \ + git config core.sparseCheckout true && \ + printf "proto\n" > .git/info/sparse-checkout && \ + git pull origin "$(DEPS_IBC_GO_VERSION)" && \ + rm -f ./proto/buf.* && \ + mv ./proto/* .. + rm -rf "$(THIRD_PARTY_DIR)/ibc_tmp" + + mkdir -p "$(THIRD_PARTY_DIR)/cosmos_proto_tmp" && \ + cd "$(THIRD_PARTY_DIR)/cosmos_proto_tmp" && \ + git init && \ + git remote add origin "https://github.com/cosmos/cosmos-proto.git" && \ + git config core.sparseCheckout true && \ + printf "proto\n" > .git/info/sparse-checkout && \ + git pull origin "$(DEPS_COSMOS_PROTO_VERSION)" && \ + rm -f ./proto/buf.* && \ + mv ./proto/* .. + rm -rf "$(THIRD_PARTY_DIR)/cosmos_proto_tmp" + + mkdir -p "$(THIRD_PARTY_DIR)/gogoproto" && \ + curl -SSL "https://raw.githubusercontent.com/cosmos/gogoproto/$(DEPS_COSMOS_GOGOPROTO)/gogoproto/gogo.proto" > "$(THIRD_PARTY_DIR)/gogoproto/gogo.proto" + + mkdir -p "$(THIRD_PARTY_DIR)/google/api" && \ + curl -sSL https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto > "$(THIRD_PARTY_DIR)/google/api/annotations.proto" + curl -sSL https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/http.proto > "$(THIRD_PARTY_DIR)/google/api/http.proto" + + mkdir -p "$(THIRD_PARTY_DIR)/cosmos/ics23/v1" && \ + curl -sSL "https://raw.githubusercontent.com/cosmos/ics23/$(DEPS_COSMOS_ICS23)/proto/cosmos/ics23/v1/proofs.proto" > "$(THIRD_PARTY_DIR)/cosmos/ics23/v1/proofs.proto" + + +.PHONY: proto-all proto-gen proto-format proto-lint proto-check-breaking proto-swagger-gen + +############################################################################### +### Releasing ### +############################################################################### + +PACKAGE_NAME:=github.com/evmos/evmos +GOLANG_CROSS_VERSION = v1.22 +GOPATH ?= '$(HOME)/go' +release-dry-run: + docker run \ + --rm \ + --privileged \ + -e CGO_ENABLED=1 \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v `pwd`:/go/src/$(PACKAGE_NAME) \ + -v ${GOPATH}/pkg:/go/pkg \ + -w /go/src/$(PACKAGE_NAME) \ + ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \ + --clean --skip validate --skip publish --snapshot + +release: + @if [ ! -f ".release-env" ]; then \ + echo "\033[91m.release-env is required for release\033[0m";\ + exit 1;\ + fi + docker run \ + --rm \ + --privileged \ + -e CGO_ENABLED=1 \ + --env-file .release-env \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v `pwd`:/go/src/$(PACKAGE_NAME) \ + -w /go/src/$(PACKAGE_NAME) \ + ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \ + release --clean --skip validate + +.PHONY: release-dry-run release + +############################################################################### +### Compile Solidity Contracts ### +############################################################################### + +# Install the necessary dependencies, compile the solidity contracts found in the +# Evmos repository and then clean up the contracts data. +contracts-all: contracts-compile contracts-clean + +# Clean smart contract compilation artifacts, dependencies and cache files +contracts-clean: + @echo "Cleaning up the contracts directory..." + @python3 ./scripts/compile_smart_contracts/compile_smart_contracts.py --clean + +# Compile the solidity contracts found in the Evmos repository. +contracts-compile: + @echo "Compiling smart contracts..." + @python3 ./scripts/compile_smart_contracts/compile_smart_contracts.py --compile + +# Add a new solidity contract to be compiled +contracts-add: + @echo "Adding a new smart contract to be compiled..." + @python3 ./scripts/compile_smart_contracts/compile_smart_contracts.py --add $(CONTRACT) + +############################################################################### +### Miscellaneous Checks ### +############################################################################### + +check-licenses: + @echo "Checking licenses..." + @python3 scripts/license_checker/check_licenses.py . + +check-changelog: + @echo "Checking changelog..." + @python3 scripts/changelog_checker/check_changelog.py ./CHANGELOG.md + +fix-changelog: + @echo "Fixing changelog..." + @python3 scripts/changelog_checker/check_changelog.py ./CHANGELOG.md --fix diff --git a/SAFU.md b/SAFU.md new file mode 100644 index 00000000..b988cdf8 --- /dev/null +++ b/SAFU.md @@ -0,0 +1,134 @@ +# Simple Arrangement for Funding Upload + +## Overview + +This Simple Arrangement for Funding Upload (the +“[SAFU](https://jumpcrypto.com/safu-creating-a-standard-for-whitehats/)” or +“Arrangement”) is intended as a simple yet extensible way to specify a +post-exploit policy for whitehats, particularly rewards and distributions. It is +based on the SAFU Framework designed by [Jump Crypto](https://jumpcrypto.com/). + +This Arrangement attempts to address the following issues during active +vulnerabilities and post-exploits: + +- **Legal uncertainty**: No clear grace period during which the hacker can + declare themselves as a white hat. No formal guarantees as the team can decide + at any time to take legal action or not. +- **Lack of clarity**: What to do with the funds secured from an exploit? Where + should the white hat transfer the secured funds? Is there a + compensation/reward promised for securing affected users’ funds? +- **Execution risk**: Conflicting proposals and stressful negotiation may arise + during and after the exploit of a vulnerability, leading to additional + confusion and uncertainty between the parties involved. + +## Concepts + +- **Dropbox Address (”Dropbox”)**: An address or contract to which funds taken + from the protocol should be deposited. In the case of contracts, a Dropbox can + be *automatic*, handling claims and rewards on a per-depositor basis without + human input, or *conditional*, requiring additional input such as governance + approvals or identity verification (KYC). +- **Deposit Interval:** the grace period in which a sender must deposit funds in + the Dropbox after removing them from the protocol. +- **Claim Delay:** a minimum waiting period before a sender may claim rewards. + We recommend at least 24 hours, during which the extent of an exploit will + become clear. +- **Sender Claim Interval:** a maximum waiting period after which the protocol + may reclaim the sender’s reward, to avoid leaving funds stranded in the + contract. +- **Bounty Percent**: Pro-rata share of funds secured that are claimable by the + whitehats. +- **Bounty Cap**: Maximum amount of tokens that a whitehat can claim after + securing the vulnerable funds. + +## Statement for Whitehats + +Tharsis Labs Ltd. (the ”Team”) commits to not pursue legal action against white +hats who act in accordance with the Arrangement for vulnerabilities found in the +Evmos blockchain (chain ID: 9001). + +### Timeline + +The Team gives 48 hours to hackers (”Grace Period”) to deposit the funds to the +Dropbox from the moment they obtain the tokens from the exploited vulnerability. +After this time, the Team will assume that the hacker is acting maliciously and +against this Arrangement if they haven’t transferred the full amount of tokens. + +Evmos guarantees that the claiming for the funds process to begin not after 30 +days (Claim Delay) of the transfer or during the next upgrade. This is due to +the fact that transfers will need to be executed during an upgrade. We expect +this process to become automatic after a dedicated trustless Cosmos module is +incorporated for this purpose. + +If the whitehat doesn’t reclaim the tokens transferred before the 30th day from +the transfer day (Sender Claim Interval), the tokens will be reclaimed and +transferred to the Evmos community pool (aka. community treasury). + +### Reward Policy + +Whitehats that secure vulnerable funds are able to claim 5% of the total funds +secured (Bounty Percent) up to a total of 250,000 EVMOS (Bounty Cap). + +There is no minimum to the amount that can be secured. The reward white hack +hacker can secure from 1 atto EVMOS (1e-18 EVMOS or the equivalent unit of 1 wei +on Ethereum). + +We encourage whitehat hackers to report undisclosed vulnerabilities using the + email. + +## Dropbox for Protocol Funds + +The following Dropbox address is available on the Evmos blockchain for +transferring secured funds by whitehats: + +| | Bech32 Format | Hex Format | +| ------- | -------------------------------------------- | ------------------------------------------ | +| Dropbox | evmos1c6jdy4gy86s69auueqwfjs86vse7kz3grxm9h2 | 0xc6A4d255043ea1A2F79CC81c9940FA6433eb0A28 | + +While the original purpose for the Dropbox address is to primarily help secure +vulnerable EVMOS tokens, it can also be used as a general purpose escrow account +for whitehackers to help secure other tokens (Native or ERC20) that have been +exploited due to a vulnerability and thus declare behaviour in accordance to +this Agreement. + +The Team offers to serve as mediator between the project exploited and the +whitehat hackers that have transferred secured funds to the Dropbox. However, +the Team is not responsible or liable for any reward payout result of the +negotiation between these two parties. + +### Address Derivation + +The Dropbox address corresponds a `ModuleAccount` address that is not controlled +by the team nor any individual. The module `ModuleAccount` address provided is +derived from the first 20 bytes of the SHA256 sum for the `“safu”` string, using +the following algorithm: + +```bash +address = address(shaSum256([]byte("safu"))[:20])) +``` + +### Source Addresses + +In the event of a vulnerability, the rewards for whitehats will be taken out +from the Dropbox account. The total amount claimable by each whitehat is defined +by the Bounty Percent and Bounty Cap using the following formula: + +```bash +amount_claimable = min(bounty_cap, amount_secured * bounty_percent) +``` + +### Conditions for Claiming + +**KYC/KYB Requirements** + +The Agreement requires KYC/KYB to be done for all whitehats wanting a reward +valued above US$ 1,000. The information required (photographic ID, utility bill) +is assessed by Provenance (the “KYC Provider”). Whitehats that are business +entities will have to provide additional information (e.g., directors, owners). +Please anticipate that the KYC Provider might require documentation in English, +or in certified translations to it. The collection and assessment of this +information will be done by the KYC Provider. + +## References + +- [Jump Crypto: SAFU - Creating a Standard for Whitehats](https://jumpcrypto.com/safu-creating-a-standard-for-whitehats/) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..a5f81aeb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,176 @@ +# Security + +As part of our vulnerability disclosure policy. This document serves as a complementary guideline +for reporting vulnerabilities and how the disclosure process is managed. + +## Guidelines + +We require that all whitehat hackers and researchers: + +- Use the Evmos security email ([security@evmos.org](mailto:security@evmos.org)) to disclose all vulnerabilities, +and avoid posting vulnerability information in public places, including GitHub, Discord, Telegram, X (Twitter) or +other non-private channels. +- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, +and destruction of data. +- Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the engineering +team until the issue has been resolved and disclosed +- Avoid posting personally identifiable information, privately or publicly + +If you follow these guidelines when reporting an issue to us, we commit to: + +- Not pursue or support any legal action related to your research on this vulnerability +- Work with you to understand, resolve and ultimately disclose the issue in a timely fashion + +## Disclosure Process + +Evmos uses the following disclosure process: + +1. Once a security report is received via the security email, the team works to verify the issue and confirm its +severity level using [CVSS](https://nvd.nist.gov/vuln-metrics/cvss) in its latest version (v4 at the time of writing). + 1. Two people from the affected project will review, replicate and acknowledge the report + within 48-96 hours of the alert according to the table below: + + | Security Level | Hours to First Response (ACK) from Escalation | + | -------------------- | --------------------------------------------- | + | Critical | 48 | + | High | 96 | + | Medium | 96 | + | Low or Informational | 96 | + | None | 96 | + + 2. If the report is not applicable or the vulnerability is not able to be reproduced, + the Security Lead will revert to the reporter to request more info or close the report. + 3. The report is confirmed by the Security Lead to the reporter. + +2. The team determines the vulnerability’s potential impact on Evmos. + + 1. Vulnerabilities with `Informational` and `Low` categorization will result in creating a public issue. + 2. Vulnerabilities with `Medium` categorization will result + in the creation of an internal ticket and patch of the code. + 3. Vulnerabilities with `High` or `Critical` will result in the [creation of a new Security Advisory](https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory) + +Once the vulnerability severity is defined, the following steps apply: + +- For `High` and `Critical`: + 1. Patches are prepared for supported releases of Evmos in a + [temporary private fork](https://docs.github.com/en/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) + of the repository. + 2. Only relevant parties will be notified about an upcoming upgrade. + These being validators, the core developer team, and users directly affected by the vulnerability. + 3. 24 hours following this notification, relevant releases with the patch will be made public. + 4. The nodes and validators update their Evmos and Ethermint dependencies to use these releases. + 5. A week (or less) after the security vulnerability has been patched on Evmos, + we will disclose that the mentioned release contained a security fix. + 6. After an additional 2 weeks, we will publish a public announcement of the vulnerability. + We also publish a security Advisory on GitHub and publish a + [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) + +- For `Informational`, `Low` and `Medium` severities: + 1. `Medium` and `Low` severity bug reports are included in a public issue + and will be incorporated in the current sprint and patched in the next release. + `Informational` reports are additionally categorized as with low or medium priority + and might not be included in the next release. + 2. One week after the releases go out, we will publish a post + with further details on the vulnerability as well as our response to it. + +This process can take some time. +Every effort will be made to handle the bug in as timely a manner as possible, +however, it's important that we follow the process described above +to ensure that disclosures are handled consistently +and to keep Ethermint and its downstream dependent projects, +including but not limited to Evmos, +as secure as possible. + +### Payment Process + +The payment process will be executed according to Evmos SAFU for `Critical` and `High` severity vulnerabilities. +Payouts can only be executed in accordance and under supervision of the Evmos Operations team and only once the +following requirements have been completed: + +- The whitehat hacker or organization successfully completes the KYC/KYB process (i.e KYC/KYB accepted). +- The vulnerability is patched in production (eg. mainnet). + +#### KYC/KYB Process + +The Operations team will get in contact with the whitehat hacker to coordinate the submission of KYC/KYC with +the Service Provider [Provenance](http://provenancecompliance.com). + +The KYC/KYB process is performed independently by the Service Provider, which submits a report with the +KYC/KYB result +(Accepted or Rejected) to the Evmos Core Team. The Evmos Core team does not have access to any of the information +provided to the Service Provider. + +The following information is to be submitted to the independent Service Provider: + +- **Email** +- **Physical Address** +- **Proof of Address**: Utility bill (with exception of mobile phone invoice) or bank statement with no +more than 3 months old from the current date. +- **Passport** (National Identification) + Selfie photo. +- **Receiving Address**: The on-chain address account that will receive the Payouts. + +#### Supported Releases + +The team commits to releasing security patch releases for the latest release that Evmos is running. + +If evmOS licensees are running older versions, we encourage them to upgrade at the earliest opportunity +so that you can receive +security patches directly from the repo, according to the terms set in the License Agreement. While project +are welcomed to backport security patches to older versions for their own use, the Evmos team reserves +the right to prioritize patches for +latest versions being used by projects. + +#### Scope of Vulnerabilities + +We’re interested in a full range of bugs with demonstrable security risk: from those that can be proven +with a simple unit test, +to those that require a full cluster and a complex sequence of transactions. + +Please note that, in the interest of the safety of our users and staff, a few things are explicitly +excluded from scope: + +- Any third-party services. +- Findings derived from social engineering (e.g., phishing). + +Examples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, +timing attacks, information leaks, authentication bypasses, denial of service +(specifically at the application- or protocol-layer), +lost-write bugs, unauthorized account or capability access, stolen or loss of funds, token inflation bugs, +payloads/transactions that cause panics, non deterministic logic, etc. + +##### JSON-RPC + +- Write-access to anything besides sending transactions +- Bypassing transactions authentication +- Denial-of-Service +- Leakage of secrets + +##### Denial-of-Service + +Attacks may come through the P2P network or the RPC layer: + +- Amplification attacks +- Resource abuse +- Deadlocks and race conditions + +##### Precompiles + +- Override of state due to misuse of `DELEGATECALL`, `STATICCALL`, `CALLCODE` +- Unauthorized transactions via precompiles (eg. ERC-20 token approvals) + +##### EVM Module + +- Memory allocation bugs +- Payloads that cause panics +- Authorization of invalid transactions + +##### Fee Market Module (EIP-1559) + +- Memory allocation bugs +- Improper / unpenalized manipulation of the BaseFee value + +### Contact + +The Evmos Security Team is constantly being monitored. +If you need to reach out to the team directly, +please reach out via email: [security@evmos.org](mailto:security@evmos.org) diff --git a/buf.gen.proto.yaml b/buf.gen.proto.yaml new file mode 100644 index 00000000..fed20222 --- /dev/null +++ b/buf.gen.proto.yaml @@ -0,0 +1,19 @@ +version: v1 + +plugins: + + - name: gocosmos + out: . + opt: + - plugins=interfacetype+grpc + + - name: grpc-gateway + out: . + opt: + - logtostderr=true + + - name: doc + out: ./docs/protocol + opt: + - ./docs/protodoc-markdown.tmpl,proto-docs.md + strategy: all diff --git a/buf.work.yaml b/buf.work.yaml new file mode 100644 index 00000000..1878b341 --- /dev/null +++ b/buf.work.yaml @@ -0,0 +1,3 @@ +version: v1 +directories: + - proto diff --git a/codecov.yml b/codecov.yml new file mode 100644 index 00000000..589de7f2 --- /dev/null +++ b/codecov.yml @@ -0,0 +1,36 @@ +# +# This codecov.yml is the default configuration for +# all repositories on Codecov. You may adjust the settings +# below in your own codecov.yml in your repository. +# +coverage: + precision: 2 + round: down + range: 70...100 + + status: + # Learn more at https://docs.codecov.io/docs/commit-status + project: + default: + threshold: 1% # allow this much decrease on project + target: 90% + changes: false + +comment: + layout: "reach, diff, files" + behavior: default # update if exists else create new + require_changes: true + +ignore: + - "**/*.md" + - "cmd" + - "client" + - "proto" + - "testutil" + - "**/test_*.go" + - "**/*.pb.go" + - "**/*.pb.gw.go" + - "x/**/module.go" + - "scripts" + - "ibc/testing" + - "version" diff --git a/mlc_config.json b/mlc_config.json new file mode 100644 index 00000000..7d5b6756 --- /dev/null +++ b/mlc_config.json @@ -0,0 +1,10 @@ +{ + "retryOn429": true, + "retryCount": 3, + "fallbackRetryDelay": "20s", + "ignorePatterns": [ + { + "pattern": "^https://twitter.com/.*" + } + ] +}