-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsentinel-pr.toml
More file actions
154 lines (128 loc) · 4.56 KB
/
sentinel-pr.toml
File metadata and controls
154 lines (128 loc) · 4.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# ============================================================================
# SENTINEL ENGINE - PR MODE CONFIGURATION
# ============================================================================
# Profile: Fast blocker checks for pull request validation
# Speed: Fast (blockers only, skip slow fuzzing)
# Use Case: GitHub Actions PR checks, pre-commit hooks
# ============================================================================
[engine]
name = "Sentinel Security Engine"
version = "3.4.0"
profile = "pr"
# Fail only on CRITICAL/HIGH (blockers)
fail_on_severity = "HIGH"
# Limit findings for fast feedback (stop after 50)
max_findings = 50
# ============================================================================
# HEURISTIC SCANNER
# ============================================================================
[heuristics]
enabled = true
# PR mode: Disable noisy/low-signal rules
[heuristics.disabled_rules]
CONSOLE_LOG = true # Too noisy in development
FLOATING_PRAGMA = true # Not a blocker
BLOCK_TIMESTAMP_RANDOMNESS = true # Often false positive for timelocks
# Keep critical patterns as CRITICAL
[heuristics.severity_overrides]
UNCHECKED_EXTERNAL_CALL = "CRITICAL"
ORACLE_STALENESS_CHECK = "CRITICAL"
FLASH_LOAN_REENTRANCY = "CRITICAL"
STORAGE_COLLISION_RISK = "CRITICAL"
# Downgrade advisory patterns
TX_ORIGIN_USAGE = "MEDIUM"
HARDCODED_ADDRESS = "LOW" # Expected for oracles/routers
# ============================================================================
# STATIC ANALYSIS
# ============================================================================
[static_analysis]
slither_enabled = true
aderyn_enabled = false # Skip for speed (enable in audit mode)
mythril_enabled = false # Too slow
# Slither: High/Critical only
[static_analysis.slither]
detectors = "all"
filter_paths = ["test/", "script/", "node_modules/"]
exclude_informational = true
exclude_low = true
exclude_optimization = true
# ============================================================================
# FUZZING
# ============================================================================
[fuzzing]
# Skip fuzzing in PR mode (too slow)
foundry_enabled = false
medusa_enabled = false
# ============================================================================
# CHAIN-SPECIFIC ANALYSIS
# ============================================================================
[chain]
# Quick Solana checks only
solana_enabled = true
[chain.solana]
trusted_programs = [
"TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA",
"ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL",
]
[chain.evm]
trusted_contracts = [
"0x5f4eC3Df9cbd43714FE2740f5E3616155c5b8419", # Chainlink ETH/USD
]
# ============================================================================
# UPGRADE SAFETY
# ============================================================================
[upgrade_diff]
enabled = true
strict_mode = true # Always check upgrade safety
ignore_patterns = [
"uint256[*] private __gap",
]
# ============================================================================
# REPORTING
# ============================================================================
[reporting]
format = "markdown"
html_enabled = false # Skip HTML in PR (faster)
json_enabled = true # JSON for GitHub Actions
# Concise output (blockers only)
verbosity = "standard"
group_by = "file"
include_code_snippets = true
include_remediation = true
include_references = false # Skip for brevity
[reporting.sections]
heuristics = true
static_analysis = true
fuzzing = false
supply_chain = false # Skip in PR
threat_intel = false # Skip in PR
upgrade_safety = true
solana_analysis = true
liar_detector = true
access_matrix = true
# ============================================================================
# CI/CD INTEGRATION
# ============================================================================
[ci]
enabled = true
# PR mode: Fail only on blockers
fail_on_critical = true
fail_on_high = true
fail_on_medium = false # Advisory only
fail_on_low = false
[ci.github_actions]
sarif_upload = true
pr_comments = true # Post advisories as comments
annotations = true
# ============================================================================
# SUPPRESSIONS
# ============================================================================
# Common false positives suppressed by default in PR mode
[[suppressions]]
rule_id = "BLOCK_TIMESTAMP_RANDOMNESS"
file = "contracts/Timelock.sol"
reason = "Timestamp used for delay, not randomness"
[[suppressions]]
rule_id = "HARDCODED_ADDRESS"
file = "contracts/Oracle.sol"
reason = "Chainlink oracle address (expected)"