merge: chore/cleanup-remove-bloat-and-secrets into main
This commit is contained in:
commit
bde2f3a97d
1173 changed files with 437609 additions and 0 deletions
98
SECURITY_STACK.md
Normal file
98
SECURITY_STACK.md
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
# RugMunch Intelligence — Security Stack Summary
|
||||
# Generated: 2026-05-08
|
||||
# WARNING: This file describes the security tooling deployed on this host.
|
||||
# Do NOT share externally — contains system architecture details.
|
||||
# Access: chmod 600, root-only.
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
INSTALLED OPEN-SOURCE SECURITY TOOLS
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
SAST (Static Analysis):
|
||||
bandit 1.9.4 Python security linter → pipx install bandit
|
||||
semgrep 1.162.0 Cross-language static analysis → pipx install semgrep
|
||||
|
||||
Secret Detection:
|
||||
gitleaks 8.25.1 Git + filesystem secret scanning → binary download
|
||||
|
||||
Dependency Scan:
|
||||
pip-audit 2.10.0 PyPI vulnerability audit → pipx install pip-audit
|
||||
|
||||
Container Scanning:
|
||||
trivy 0.70.0 Container + filesystem + secrets → binary download
|
||||
|
||||
IPS / WAF:
|
||||
crowdsec 1.7.7 Collaborative intrusion detection → apt install
|
||||
fail2ban active IP-based brute-force blocker → apt install
|
||||
|
||||
Pre-commit:
|
||||
pre-commit 4.6.0 Git hook automation → pipx install pre-commit
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
NEW FILES CREATED
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
/srv/rmi/backend/.bandit.yaml Bandit config (excludes B105/B311 false-posit, dirs)
|
||||
/srv/rmi/backend/.gitleaks.toml Gitleaks allowlist (public SOL addresses + static/)
|
||||
/srv/rmi/backend/.trivyignore Trivy ignore (investigation evidence files)
|
||||
/srv/rmi/backend/.pre-commit-config.yaml Pre-commit: bandit + gitleaks + isort + black + pip-audit
|
||||
/srv/rmi/backend/run-security.sh Full security suite runner
|
||||
/srv/rmi/backend/tmp/ fail2ban templates + GitHub Actions template
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
CODE FIXES APPLIED
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
DOCKERFILE:
|
||||
- FROM python:3.12-slim (was 3.11)
|
||||
- Added non-root `rmi` user + USER rmi
|
||||
- Upgraded known-vulnerable packages: jaraco.context + wheel
|
||||
|
||||
CODE (md5 → sha256 - CWE-327):
|
||||
app/fallback_engine.py:83 Cache key hash
|
||||
app/routers/news_feed.py:237 Article deduplication hash
|
||||
app/routers/rugmaps.py:462 Token cluster seed
|
||||
app/routers/social.py:435 Like hash
|
||||
app/rugmaps_analyzer.py:99 Analyzer seed
|
||||
|
||||
BUG FIXES:
|
||||
app/routers/daily_briefing.py:280 Fixed unterminated string literal syntax error
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
SCAN RESULTS (latest run)
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
Bandit: 0 HIGH, 42 MEDIUM (excludes B105 false-positives)
|
||||
Semgrep: 4 findings (2 INFO + 2 WARNING — all in x402-gateway/*.ts, not backend)
|
||||
pip-audit: 0 known dependency vulnerabilities
|
||||
Gitleaks: 0 leaks (after allowlist for public SOL addresses + dist/)
|
||||
Trivy fs: 0 HIGH/CRITICAL (after .trivyignore for investigation evidence)
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
MANUAL DEPLOY STEPS
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
Deploy fail2ban API abuse protection:
|
||||
sudo cp /srv/rmi/backend/tmp/rmi-api.conf /etc/fail2ban/filter.d/rmi-api.conf
|
||||
sudo cp /srv/rmi/backend/tmp/rmi-api-jail.conf /etc/fail2ban/jail.d/rmi-api.conf
|
||||
sudo systemctl restart fail2ban
|
||||
|
||||
Deploy GitHub Actions when repo hooks up:
|
||||
mkdir -p .github/workflows
|
||||
cp /srv/rmi/backend/tmp/github-workflow.yml .github/workflows/security.yml
|
||||
|
||||
══════════════════════════════════════════════════════════════════
|
||||
COMMAND REFERENCE
|
||||
══════════════════════════════════════════════════════════════════
|
||||
|
||||
Quick scan: cd /srv/rmi/backend && ./run-security.sh
|
||||
Full scan: cd /srv/rmi/backend && ./run-security.sh --full
|
||||
Bandit only: bandit -r app/ -c .bandit.yaml
|
||||
Semgrep only: semgrep --config=auto
|
||||
pip-audit: pip-audit -r requirements.txt
|
||||
Gitleaks: gitleaks detect --source . --no-git --config .gitleaks.toml
|
||||
Trivy fs: trivy fs --scanners vuln,secret,misconfig .
|
||||
Trivy image: trivy image --severity HIGH,CRITICAL rmi-backend:latest
|
||||
Pre-commit: pre-commit run --all-files
|
||||
CrowdSec stats: cscli metrics + cscli decisions list
|
||||
Fail2ban ban: sudo fail2ban-client status rmi-api
|
||||
Loading…
Add table
Add a link
Reference in a new issue