Skip to content

Feat/audit tooling suite#1095

Open
nonso7 wants to merge 4 commits into
HyperSafeD:mainfrom
nonso7:feat/audit-tooling-suite
Open

Feat/audit tooling suite#1095
nonso7 wants to merge 4 commits into
HyperSafeD:mainfrom
nonso7:feat/audit-tooling-suite

Conversation

@nonso7

@nonso7 nonso7 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Describe the change, the motivation behind it, and any important implementation details.

Fixes #

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Maintenance or refactor

Testing

List the commands you ran and the scope of validation.

cargo fmt --all --check
cargo clippy --workspace --all-targets --all-features -- -D warnings
cargo test -p sanctifier-core --all-features
cargo test -p sanctifier-cli
cd frontend && npm test

Checklist

  • I ran the relevant tests locally, or explained why they were not needed.
  • I updated documentation for any user-facing behavior changes.
  • I added or updated tests for the change when appropriate.
  • I added a changelog or release-notes entry when needed, or confirmed none is required.
  • I verified this branch is up to date with main and merge conflicts are resolved.

Closes #1032
Closes #1045
Closes #1042
Closes #1035

nonso7 added 4 commits June 30, 2026 12:59
@nonso7
feat(contracts): add standardized SEP-41 compliance test suite (Hyper…
743c735 
…SafeD#1032)

Introduce a single, shared SEP-41 conformance suite that every token
contract must pass, replacing per-contract ad-hoc checks.

- sanctifier-test-support: new `sep41_compliance` harness that verifies a
  contract's source implements all 10 SEP-41 functions with the exact
  signatures and correct caller authorization (mirrors core's S012 spec,
  but syn-only so the suite needs no Z3).
- new `sep41-compliance` crate runs the suite against 3+ token contracts
  (my-contract plus reference AMM-LP and deposit-receipt tokens) and
  asserts that missing functions, wrong signatures, and missing
  require_auth all fail compliance.
- CI: new `cargo test -p sep41-compliance` job in contracts-ci.
@nonso7
docs(rules): add individual rule pages for S001-S012 (HyperSafeD#1042)
cafff9e 
Each rule now has a dedicated page with: what it detects, why it matters,
a vulnerable and a safe Soroban example, a CVSS v3.1 risk rating, how to
fix, and cross-links to related rules. The README rule table now links
every S001-S012 code to its page.
@nonso7
docs: add third-party audit tool integration guide (HyperSafeD#1045)
90bf3f1 
Guide for combining Sanctifier's SARIF output with Semgrep, CodeQL, and
other SARIF-aware tools: merging multiple SARIF files, GitHub Code
Scanning with Sanctifier + CodeQL, a Semgrep + Sanctifier workflow,
Slither in a multi-tool pipeline, and exporting findings to Jira/Linear
via webhooks. Ships a working Code Scanning workflow plus sample
workflows for each integration.
@nonso7
test(core): add property-based tests for the analysis engine (HyperSa…
f92bd09 
…feD#1035)

Add proptest-based fuzzing of the analysis engine: generate random Rust
source (structured Soroban contracts, free-form snippets, and arbitrary
text) and run every rule, asserting the result is always Ok(findings) or
Err(parse_error) and never panics. Runs as a separate CI job with a hard
60-second budget over 10,000 cases.

The property test discovered a real crash: deeply nested input overflowed
the recursive parser/analyzer stack and aborted the process. Fixed by an
EXCESSIVE_NESTING input-validation guard that rejects pathological
delimiter nesting before it reaches the recursive passes; the crash input
is kept as a regression fixture.

Also repairs pre-existing breakage in sanctifier-core that prevented the
crate from compiling at all (a brace-spliced analyze_upgrade_patterns /
analyze_custom_rules, duplicate SanctifyConfig / scan_events definitions,
and an EventIssue field mismatch), without which no core test could run.
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

@nonso7 is attempting to deploy a commit to the gbangbolaoluwagbemiga's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@nonso7 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@github-advanced-security

github-advanced-security AI commented Jun 30, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@nonso7 @github-advanced-security