ci: Add LLM Security Scan Prompt

[0xNeshi]

WARNING

• MOST OF THIS WAS CREATED USING LLM AND IS NOT YET TESTED
• This is an untested draft proposal created as a result of recent meeting with auditors who suggested we use similar prompts during development, the idea being to gauge whether this is something we even want to have in our code base
• Before this is merged, we should double- and triple-check that it is safe to do so (e.g. that it CANNOT POSSIBLY expose any sensitive API keys)

Proposal

How this is imagined to behave:

• runs whenever main is updated (alternative is to run every X days/weeks to accumulate enough meaningful changes)
• analyzes the code for likely security vulnerabilities
• if any potential vulnerabilities are found, the CI job fails and we get a notification on Github
• we verify whether this is an actual vulnerability or an LLM hallucination
  • if the former - we address it
  • if the latter - we ignore it

Potential Issues

1. We already have a tool that does exactly this, it's called X.

Awesome, let's integrate that instead, and close this PR!

2. The CI job implementation actually has problem with X, it should do Y instead.

It's excellent that you noticed this problem and suggested an improvement! The better we make the CI job now, the more bugs we'll catch when it runs later.

3. The CI job turns out to have too many false positives OR reports too few basic vulnerabilities that are later surfaced in the actual audit.

We try to improve the prompt to improve the job's effectiveness. In the extreme case, we determine the CI job is more often than not useless, so we remove it, and call it a day.

4. The risk of leaking sensitive data is too great to allow running such a CI job.

Fair critique and very important! If possible, let's try to make the LLM sandboxed enough that we feel at ease. If not possible, or we feel to uncomfortable, we shouldn't just close the PR without merging and that's that.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 002fb691-f8cd-4dde-8a65-22a76eb9a861

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch llm-sec-ci-job

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.88%. Comparing base (63a864e) to head (0faaef0).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #171   +/-   ##
=======================================
  Coverage   89.88%   89.88%           
=======================================
  Files          19       19           
  Lines        1790     1790           
  Branches      484      484           
=======================================
  Hits         1609     1609           
  Misses        168      168           
  Partials       13       13           

Flag	Coverage Δ
contracts/access	44.87% <ø> (ø)
math/core	86.12% <ø> (ø)
math/fixed_point	58.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.