Adding SAST-SCA

[JGowsk9]

Security

-Adding Code Analysis
-Adding Dependency Review
-This Will Block Failing PRs

Fixes #2113

[github-actions]

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

[github-actions]

PR Summary

Added security-focused GitHub Actions workflows for Static Application Security Testing (SAST) and Software Composition Analysis (SCA). The changes introduce a CodeQL analysis workflow (currently disabled) for Swift code scanning on push/PR events to main and dev branches, and a dependency review workflow that blocks PRs introducing known-vulnerable packages of moderate severity or higher. The dependency review workflow includes automated PR comments with vulnerability details and remediation guidance.

Changes

File	Summary
.github/workflows/code-analysis.yml.disabled	Added a CodeQL analysis workflow (disabled) that runs on push/PR to main and dev branches, plus daily scheduled scans. Configures Swift language analysis with security-extended queries, builds the FRW.xcodeproj with code signing disabled, and uploads results to GitHub Security.
.github/workflows/dependency-review.yml	Added a dependency review workflow that scans PRs to main and dev branches for vulnerable dependencies. Fails on moderate+ severity vulnerabilities, posts summary comments in PRs, and includes a failure handler job that adds detailed remediation guidance with security team contact information.

---

autogenerated by presubmit.ai

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.5	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	4.*.*	🟢 7.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
actions/actions/github-script	8.*.*	🟢 6.3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 3 7 existing vulnerabilities detected

Scanned Files

• .github/workflows/dependency-review.yml

[github-actions]

🚨 Pull request needs attention.

Review Summary

Commits Considered (1)

• 46255a1: Adding SAST-SCA

Files Processed (2)

• .github/workflows/code-analysis.yml (1 hunk)
• .github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (2)

• .github/workflows/code-analysis.yml [29-29]

  possible bug: "Non-existent action version referenced."

• .github/workflows/dependency-review.yml [28-28]

  possible bug: "Non-existent action version referenced."

Skipped Comments (2)

• .github/workflows/dependency-review.yml [49-49]

  possible issue: "JSON parsing may fail on unexpected input."

• .github/workflows/code-analysis.yml [10-10]

  enhancement: "Daily scheduled runs may be excessive."

[github-actions]

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

[github-actions]

🚨 Pull request needs attention.

Review Summary

Commits Considered (1)

• deca9a8: Updates to branch

Files Processed (2)

• .github/workflows/code-analysis.yml (1 hunk)
• .github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (2)

• .github/workflows/code-analysis.yml [29-29]

  possible bug: "Non-existent action version will cause workflow failure."

• .github/workflows/dependency-review.yml [28-28]

  possible bug: "Non-existent action version will cause workflow failure."

Skipped Comments (1)

• .github/workflows/dependency-review.yml [56-68]

  readability: "Template string indentation will appear in the rendered PR comment."

[github-actions]

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• 84795d0: Fix checkout action version and enable dev & main branch scanning

Files Processed (2)

• .github/workflows/code-analysis.yml (1 hunk)
• .github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (4)

• .github/workflows/code-analysis.yml [34-34]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [22-22]

  best practice: "Unnecessary permission granted to workflow."

• .github/workflows/dependency-review.yml [49-49]

  possible bug: "Potential JSON parsing error when vulnerability output is empty or malformed."

• .github/workflows/dependency-review.yml [43-43]

  security: "Pin GitHub Actions to commit SHA for improved security."

[JGowsk9]

Fixes #2113

[github-actions]

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

[lmcmz]

@JGowsk9 It seem the build
failed
https://github.com/onflow/FRW-iOS/actions/runs/20380217403/job/58571415764?pr=2108

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• eaf200c: Fix CodeQL autobuild with custom build steps

Files Processed (1)

• .github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (4)

• .github/workflows/code-analysis.yml [34-34]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [31-31]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [61-61]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [12-12]

  enhancement: "Consider offsetting the scheduled run time."

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• c5efc4c: Merge branch 'dev' into sec/sast-sca

Files Processed (0)

Actionable Comments (0)

Skipped Comments (0)

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• 3779038: Simplify CodeQL build to use xcodeproj instead of workspace

Files Processed (1)

• .github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

• .github/workflows/code-analysis.yml [34-34]

  best practice: "Consider pinning GitHub Actions to specific versions for reproducibility."

• .github/workflows/code-analysis.yml [12-12]

  enhancement: "Consider adjusting the scheduled cron time to avoid peak hours."

• .github/workflows/code-analysis.yml [22-22]

  security: "Unused permission declared in workflow."

[JGowsk9]

@JGowsk9 It seem the build failed https://github.com/onflow/FRW-iOS/actions/runs/20380217403/job/58571415764?pr=2108

Thanks, @lmcmz ! Any suggestions on how to get a successful build? I've tried both Autobuild and custom builds

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• a8009bf: Fix xcodebuild architecture conflict in CodeQL workflow

Files Processed (1)

• .github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

• .github/workflows/code-analysis.yml [34-34]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [54-54]

  security: "Pin GitHub Actions to commit SHA for improved security."

• .github/workflows/code-analysis.yml [22-22]

  best practice: "Unused permission may be overly permissive."

[github-actions]

✅ LGTM!

Review Summary

Commits Considered (1)

• 551d0af: Temporarily disable CodeQL workflow

Files Processed (1)

• .github/workflows/code-analysis.yml.disabled (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

• .github/workflows/code-analysis.yml.disabled [34-34]

  security: "Pin GitHub Actions to specific commit SHA for supply chain security."

• .github/workflows/code-analysis.yml.disabled [54-54]

  security: "Pin GitHub Actions to specific commit SHA for supply chain security."

• .github/workflows/code-analysis.yml.disabled [12-12]

  enhancement: "Consider reducing scheduled scan frequency to conserve resources."