Comprehensive Security Testing #1007
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/comprehensive-testing.yml | |
| # Comprehensive testing workflow for Eos with security-focused fuzzing | |
| name: Comprehensive Security Testing | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run nightly comprehensive fuzzing | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| fuzz_duration: | |
| description: 'Fuzz test duration' | |
| required: false | |
| default: '5m' | |
| type: string | |
| enable_chaos: | |
| description: 'Enable chaos engineering' | |
| required: false | |
| default: false | |
| type: boolean | |
| security_focus: | |
| description: 'Focus on security-critical tests' | |
| required: false | |
| default: true | |
| type: boolean | |
| env: | |
| GO_VERSION: '1.25' | |
| FUZZ_DURATION: ${{ github.event.inputs.fuzz_duration || '2m' }} | |
| SECURITY_FOCUS: ${{ github.event.inputs.security_focus || 'true' }} | |
| CHAOS_MODE: ${{ github.event.inputs.enable_chaos || 'false' }} | |
| jobs: | |
| # Quick validation tests | |
| quick-validation: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Install dependencies | |
| run: | | |
| go mod download | |
| go install -race std | |
| - name: Lint code | |
| run: | | |
| go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest | |
| golangci-lint run --timeout=10m --config=.golangci.yml | |
| - name: Quick unit tests | |
| run: | | |
| go test -race -short ./pkg/... | |
| - name: Quick fuzz validation | |
| run: | | |
| chmod +x ./scripts/run-fuzz-tests.sh | |
| ./scripts/run-fuzz-tests.sh 10s | |
| # Security-focused fuzzing | |
| security-fuzzing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| needs: quick-validation | |
| strategy: | |
| matrix: | |
| focus: [crypto, security, input-validation, template-injection] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y stress-ng bc | |
| - name: Run security-focused fuzzing | |
| run: | | |
| chmod +x ./scripts/comprehensive-fuzz-runner.sh | |
| export SECURITY_FOCUS=true | |
| export ARCHITECTURE_TESTING=false | |
| ./scripts/comprehensive-fuzz-runner.sh ${{ env.FUZZ_DURATION }} | |
| - name: Upload security test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: security-fuzz-results-${{ matrix.focus }} | |
| path: | | |
| /tmp/eos-comprehensive-fuzz/security/ | |
| /tmp/eos-comprehensive-fuzz/comprehensive-fuzz-*.md | |
| retention-days: 30 | |
| - name: Check for security violations | |
| run: | | |
| if grep -r "SECURITY VIOLATION\|CRASH DETECTED" /tmp/eos-comprehensive-fuzz/ 2>/dev/null; then | |
| echo " Security violations detected!" | |
| grep -r "SECURITY VIOLATION\|CRASH DETECTED" /tmp/eos-comprehensive-fuzz/ || true | |
| exit 1 | |
| fi | |
| # Architecture-specific testing | |
| architecture-testing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| needs: quick-validation | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install HashiCorp tools (for testing) | |
| run: | | |
| # Install Terraform | |
| wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
| echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
| sudo apt-get update | |
| sudo apt-get install -y terraform nomad consul vault | |
| - name: Run architecture-specific fuzzing | |
| run: | | |
| chmod +x ./scripts/comprehensive-fuzz-runner.sh | |
| export SECURITY_FOCUS=false | |
| export ARCHITECTURE_TESTING=true | |
| ./scripts/comprehensive-fuzz-runner.sh ${{ env.FUZZ_DURATION }} | |
| - name: Upload architecture test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: architecture-test-results | |
| path: | | |
| /tmp/eos-comprehensive-fuzz/architecture/ | |
| /tmp/eos-comprehensive-fuzz/comprehensive-fuzz-*.md | |
| retention-days: 30 | |
| # Chaos engineering tests | |
| chaos-engineering: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: [security-fuzzing, architecture-testing] | |
| if: ${{ github.event.inputs.enable_chaos == 'true' || github.event_name == 'schedule' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install chaos engineering tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y stress-ng htop iotop | |
| - name: Run chaos engineering tests | |
| run: | | |
| chmod +x ./scripts/comprehensive-fuzz-runner.sh | |
| export CHAOS_MODE=true | |
| export SECURITY_FOCUS=true | |
| export ARCHITECTURE_TESTING=true | |
| ./scripts/comprehensive-fuzz-runner.sh ${{ env.FUZZ_DURATION }} | |
| - name: Upload chaos test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: chaos-engineering-results | |
| path: | | |
| /tmp/eos-comprehensive-fuzz/chaos/ | |
| /tmp/eos-comprehensive-fuzz/comprehensive-fuzz-*.md | |
| retention-days: 30 | |
| # Property-based testing | |
| property-testing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: quick-validation | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run property-based tests | |
| run: | | |
| go test -v -run TestOrchestrationProperties ./pkg/testing | |
| go test -v -run TestSecurityProperties ./pkg/testing | |
| go test -v -run TestStateConsistencyProperties ./pkg/testing | |
| - name: Upload property test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: property-test-results | |
| path: | | |
| /tmp/eos-comprehensive-fuzz/property_*.log | |
| retention-days: 30 | |
| # Performance regression testing | |
| performance-testing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| needs: quick-validation | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install benchstat | |
| run: go install golang.org/x/perf/cmd/benchstat@latest | |
| - name: Run performance benchmarks | |
| run: | | |
| go test -bench=. -benchmem -count=5 ./pkg/security ./pkg/crypto ./pkg/execute > benchmarks.txt | |
| - name: Analyze benchmark results | |
| run: | | |
| benchstat benchmarks.txt > benchmark_analysis.txt | |
| cat benchmark_analysis.txt | |
| - name: Upload benchmark results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: performance-benchmarks | |
| path: | | |
| benchmarks.txt | |
| benchmark_analysis.txt | |
| retention-days: 30 | |
| # Coverage analysis | |
| coverage-analysis: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 25 | |
| needs: quick-validation | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run tests with coverage | |
| run: | | |
| go test -v -coverprofile=coverage.out -covermode=atomic ./pkg/... | |
| go tool cover -html=coverage.out -o coverage.html | |
| go tool cover -func=coverage.out | grep total | awk '{print "Total coverage:", $3}' | |
| - name: Upload coverage results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: coverage-report | |
| path: | | |
| coverage.out | |
| coverage.html | |
| retention-days: 30 | |
| - name: Upload to Codecov | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| file: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| # Integration testing | |
| integration-testing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 40 | |
| needs: [security-fuzzing, architecture-testing] | |
| services: | |
| postgres: | |
| image: postgres:15 | |
| env: | |
| POSTGRES_PASSWORD: testpass | |
| POSTGRES_DB: testdb | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run integration tests | |
| env: | |
| POSTGRES_URL: postgres://postgres:testpass@localhost:5432/testdb?sslmode=disable | |
| run: | | |
| go test -v -timeout=30m ./test/integration_test.go | |
| go test -v -timeout=30m ./test/integration_scenarios_test.go | |
| - name: Upload integration test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: integration-test-results | |
| path: | | |
| /tmp/eos-test-* | |
| retention-days: 30 | |
| # Final security report | |
| security-report: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| needs: [security-fuzzing, chaos-engineering, property-testing] | |
| if: always() | |
| steps: | |
| - name: Download all test artifacts | |
| uses: actions/download-artifact@v3 | |
| - name: Generate comprehensive security report | |
| run: | | |
| echo "# Eos Comprehensive Security Test Report" > security_report.md | |
| echo "" >> security_report.md | |
| echo "**Generated:** $(date)" >> security_report.md | |
| echo "**Trigger:** ${{ github.event_name }}" >> security_report.md | |
| echo "**Duration:** ${{ env.FUZZ_DURATION }}" >> security_report.md | |
| echo "" >> security_report.md | |
| echo "## Security Test Results" >> security_report.md | |
| echo "" >> security_report.md | |
| # Check for security violations across all artifacts | |
| if find . -name "*.md" -exec grep -l "SECURITY VIOLATION\|CRASH DETECTED" {} \; | head -1; then | |
| echo " **SECURITY ISSUES DETECTED**" >> security_report.md | |
| echo "" >> security_report.md | |
| find . -name "*.md" -exec grep -H "SECURITY VIOLATION\|CRASH DETECTED" {} \; >> security_report.md | |
| else | |
| echo "**No security violations detected**" >> security_report.md | |
| fi | |
| echo "" >> security_report.md | |
| echo "## Test Coverage" >> security_report.md | |
| # Summarize test results | |
| echo "- Security-focused fuzzing: Completed" >> security_report.md | |
| echo "- Architecture testing: Completed" >> security_report.md | |
| echo "- Property-based testing: Completed" >> security_report.md | |
| if [ "${{ env.CHAOS_MODE }}" = "true" ]; then | |
| echo "- Chaos engineering: Completed" >> security_report.md | |
| fi | |
| cat security_report.md | |
| - name: Upload security report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: comprehensive-security-report | |
| path: security_report.md | |
| retention-days: 90 | |
| - name: Comment on PR with security results | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const report = fs.readFileSync('security_report.md', 'utf8'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `## 🔒 Comprehensive Security Test Results\n\n${report}` | |
| }); | |
| # Nightly extended fuzzing | |
| nightly-extended-fuzzing: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 480 # 8 hours | |
| if: github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y stress-ng bc htop iotop | |
| - name: Run extended fuzzing | |
| run: | | |
| chmod +x ./scripts/comprehensive-fuzz-runner.sh | |
| export CHAOS_MODE=true | |
| export SECURITY_FOCUS=true | |
| export ARCHITECTURE_TESTING=true | |
| export PARALLEL_JOBS=16 | |
| ./scripts/comprehensive-fuzz-runner.sh 30m | |
| - name: Upload extended test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: nightly-extended-fuzzing-results | |
| path: | | |
| /tmp/eos-comprehensive-fuzz/ | |
| retention-days: 90 | |
| - name: Create issue on security failures | |
| if: failure() | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: ` Nightly Security Fuzzing Failed - ${new Date().toISOString().split('T')[0]}`, | |
| body: `Nightly comprehensive security fuzzing has detected potential issues. | |
| **Run Details:** | |
| - Date: ${new Date().toISOString()} | |
| - Duration: 30 minutes per test | |
| - Mode: Extended fuzzing with chaos engineering | |
| **Action Required:** | |
| 1. Review the test artifacts for security violations | |
| 2. Investigate any crashes or panics | |
| 3. Update security measures if necessary | |
| **Artifacts:** Check the workflow run for detailed logs and reports.`, | |
| labels: ['security', 'bug', 'high-priority'] | |
| }); |