Skip to content

infosec-us-team/daf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

166 Commits
backend-daf
backend-daf
 
 
frontend-daf
frontend-daf
 
 
readme-resources
readme-resources
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

What is DAF

DAF is a daily activity feed that tracks recent bug fixes and code changes in GitHub repositories enrolled in Immunefi bug bounty programs. Each day, protocols update their code to address vulnerabilities or add features. DAF brings these updates from across the Web3 ecosystem into one place.

Website (demo): https://infosec-us-team.github.io/daf/frontend-daf/src/

At the time of writing, there are 427 GitHub repositories with a bug bounty program in Immunefi.

Table of Contents

How to use it

This repo helps you generate a static site with all pull requests merged today in all GitHub repositories listed as assets in scope in Immunefi.

Monitor when protocols add new features or discover security patches by searching for the words "fix" and "bug" in the title of pull requests and commit messages.

The site includes:

  • Pull requests, including their title, date, and a link to the PR
  • Every commit, including its title and a link to it
  • The Developer of every commit, including its name, avatar, and a link to their GitHub user
  • Protocol name, avatar, and a link to the GitHub account
  • The rewards ($) for every severity on the bug bounty program, and a link to it

Architecture

DAF has a backend and a frontend.

Backend

The backend automates gathering GitHub repositories listed in Immunefi, extracting bounty information, scanning pull requests and commits, and generating a static website (the frontend).

Frontend

A static site using Tailwind CSS.

Run locally

Requirements

  • ibb - A CLI tool to find anything from Immunefi REST API with as few keystrokes as possible (by infosec_us_team)
  • jq - JSON processor for command-line data manipulation
  • Python 3.x environment

Clone the repository:

git clone https://github.com/infosec-us-team/daf.git
cd daf

To avoid hitting GitHub's API rate limit, use a personal access token.

Create a .env file outside of the project folder (yes, outside... don't trust your .gitignore skills; better safe than sorry).

Your file structure should look like this:

.env
daf/
 ├─backend-daf/
 ├─frontend-daf/
 ├─readme-resources/
 └─README.md

Add your personal access token to the .env file:

GITHUB_TOKEN=your_token_here

Monitor all repositories

Step 1- Get an updated list of protocols and assets in scope from Immunefi.

# First, cd into `./backend-daf/`
cd backend-daf

./read-protocols-from-immunefi.sh

Step 2: Scan for pull requests merged today in all GitHub repositories in scope.

python3 ./scan-all-prs.py

Step 3- Generate a static site with the data.

python3 ./create-static-site-for-all-protocols.py

You should have a static site at ./frontend-daf/src/index.html

Step 4- Run an HTTP server so you can access the site with all devices in the local network.

# cd out of backend-daf and into frontend-daf
cd ../frontend-daf/src/

# run the http server
python3 -m http.server 8000

Monitor target protocols

Step 1- Add a target protocol using a single command.

# First, cd into `./backend-daf/`
cd backend-daf

./add-protocol-from-immunefi.sh layerzero
# or another program id from Immunefi/ibb, e.g.:
./add-protocol-from-immunefi.sh listadao

This fetches the program logo, rewards, and GitHub repositories in scope and appends them to backend-daf/target_protocols.json.

Step 2- (Optional) Customize repositories.

You can add or remove GitHub repositories for any target directly in backend-daf/target_protocols.json under the assetUrls array of the protocol you added.

Step 3: Scan for pull requests merged today in your target's GitHub repositories.

python3 ./scan-target-prs.py

Step 4- Generate a static site with the data.

python3 ./create-static-site-for-target-protocols.py

You should have a static site at ./frontend-daf/src/targets.html

Step 5- Run an HTTP server so you can access the site with all devices in the local network.

# cd out of backend-daf and into frontend-daf
cd ../frontend-daf/src/

# run the http server
python3 -m http.server 8000

Monitor target repositories

If you already followed the "Monitor target protocols" section but prefer a tailored approach or want to reduce clutter, you are free to modify which repositories to scan for pull requests.

For example, we prefer to skip repositories related to the dApp's website UI.

To do so, modify the JSON file located at backend-daf/target_protocols.json and remove or add repositories in the assetUrls object of the target protocol.

Next time, you can skip steps 1 and 2. Start at step 3 (scanning PRs merged today), then proceed to steps 4 and 5 (generate the static site and serve it).

Using a cron job to run periodically

You can also create a script that runs steps 1 to 4, and use a crontab to automate the process.

Open crontab:

crontab -e

Add a job:

0 1 * * * /path/to/script.sh

This runs your script daily at 1am.

Maintenance

There is no guarantee that the code in this repository will be maintained if Immunefi or GitHub changes their APIs.

About

Daily activity feed of bug fixes and code changes in GitHub repositories listed as assets in scope for bug bounty programs in Immunefi.

Resources

Readme
Activity

Stars

66 stars

Watchers

4 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages