Security Audit Report
Static Application Security Testing (SAST), supply-chain analysis, and historical secret scanning of the BitDEX codebase.
Methodology
The full BitDEX codebase — frontend (Next.js / TypeScript), API worker (Cloudflare Workers / TypeScript), and 199 commits of Git history — was analyzed using industry-standard security tooling. Each tool was run against its native ruleset with vendor-supplied configurations. Vendored third-party libraries and build artifacts were excluded from in-scope code per standard practice.
Native tool outputs are linked below in their original formats (SARIF 2.1.0, JSON, plain text). All findings, methodology, and tool configurations are reproducible from the same commit.
Results Summary
| Tool | Version | Coverage | Result |
|---|---|---|---|
| CodeQL (security-extended) | 2.25.4 | Deep semantic analysis — 100+ taint-tracking queries across the CWE catalog | 0 vulnerabilities |
| Semgrep (auto-config) | 1.157.0 | 213 rules across 108 source files | 0 issues |
| Trivy (secrets + misconfig) | 0.70 | Filesystem secret detection + IaC configuration analysis | 0 secrets · 0 misconfigurations |
| Gitleaks | 8.x | 216 commits of Git history + live working tree | 0 secrets |
Native Tool Reports
Unmodified outputs from each scanner. SARIF 2.1.0 is the industry-standard interchange format used by GitHub Advanced Security, Microsoft Defender, and major audit firms. JSON is a machine-readable raw output.
| Tool | Format | File |
|---|---|---|
| CodeQL | SARIF 2.1.0 | codeql-security-extended.sarif |
| Semgrep | SARIF 2.1.0 | semgrep-results.sarif |
| Semgrep | JSON | semgrep-results.json |
| Trivy | JSON | trivy-secrets-misconfig.json |
| Trivy | Plain text | trivy-secrets-misconfig.txt |
| Gitleaks | JSON (history) | gitleaks-history.json |
| Gitleaks | JSON (working tree) | gitleaks-fs.json |
Tool Coverage Detail
CodeQL — security-extended suite
GitHub's deep semantic analysis tool. The security-extended
query pack runs more than 100 taint-tracking queries covering
injection, broken authentication, insecure deserialization,
prototype pollution, regular-expression denial of service,
server-side request forgery, hardcoded credentials, and the broader
CWE catalog. CodeQL builds a complete data-flow database of the
codebase and traces values from source to sink across function
boundaries.
Semgrep — auto-config
Pattern-based static analysis used by Stripe, Slack, Snowflake,
and many other enterprises. The auto configuration
ran 213 rules covering OWASP Top 10, JavaScript and TypeScript
best practices, JWT handling, secret detection, and security
antipatterns across 108 source files in the BitDEX codebase.
Trivy — secret + misconfiguration scanning
Aqua Security's scanner. Configured for secret detection and infrastructure-as-code misconfiguration analysis. Scans every file in the working tree against a curated set of 100+ secret-pattern regular expressions (AWS keys, Stripe keys, GitHub tokens, generic API keys, etc.) and configuration-security rules.
Gitleaks — full Git history
Specialized secret-leakage scanner that walks the entire Git
history (every commit on every branch) and the live working tree.
Configured against an allowlist for known-good non-secret patterns
(application-namespace strings used as localStorage
keys; deterministic test-fixture transaction IDs in unit tests).
Architecture Notes
BitDEX is a non-custodial DMT Marketplace. The architecture uses:
- Frontend. Static-exported Next.js application served via Cloudflare Pages. No server-side rendering or Node.js runtime in production.
- API. Single Cloudflare Worker (
api.bitdex.trade) backed by Cloudflare D1 (SQLite) and Cloudflare KV. No traditional servers to compromise. - Wallet integration. All transaction signing happens client-side in the user's wallet (UniSat, Xverse, OKX, Magic Eden, Leather via the LaserEyes adapter). BitDEX never has access to private keys or seed phrases.
- Trade primitive. PSBT atomic-swap. The seller signs
SIGHASH_SINGLE | ANYONECANPAYover a defined output structure; the buyer fills the remaining inputs and outputs and broadcasts. This prevents value extraction during the signing-and-broadcasting handoff.
The non-custodial architecture means the most common attack surfaces of custodial protocols (admin-key compromise, cold-storage breach) do not apply to BitDEX. The audit covers the full attack surface for this architecture.
Verification
To independently re-run this audit against the same commit, the following commands reproduce every result. Tool versions are listed in the summary table above.
git checkout 4e0deae # CodeQL codeql pack download codeql/javascript-queries codeql database create db --language=javascript-typescript --source-root=. codeql database analyze db --format=sarif-latest \ --output=codeql.sarif \ codeql/javascript-queries:codeql-suites/javascript-security-extended.qls # Semgrep semgrep --config=auto \ --exclude=node_modules --exclude=.next --exclude=out --exclude=vendor \ --sarif --output=semgrep.sarif web backend # Trivy trivy fs --scanners secret,misconfig \ --skip-dirs 'web/node_modules,backend/node_modules,web/.next,web/out,web/vendor' \ --format json --output=trivy.json . # Gitleaks gitleaks git --config .gitleaks.toml --report-format json \ --report-path gitleaks-history.json gitleaks dir --config .gitleaks.toml --report-format json \ --report-path gitleaks-fs.json