From 46255a104a809b661e49f9febe386eef7c75fa7f Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Thu, 18 Dec 2025 14:05:56 -0800 Subject: [PATCH 1/7] Adding SAST-SCA --- .github/workflows/code-analysis.yml | 47 +++++++++++++++ .github/workflows/dependency-review.yml | 79 +++++++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 .github/workflows/code-analysis.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml new file mode 100644 index 00000000..6bca5b70 --- /dev/null +++ b/.github/workflows/code-analysis.yml @@ -0,0 +1,47 @@ +name: "CodeQL Analysis" +on: + push: + branches: + - dev + pull_request: + branches: + - dev + schedule: + - cron: '0 0 * * *' + +jobs: + analyze-code: + runs-on: macos-latest + timeout-minutes: 60 + permissions: + actions: read + contents: read + security-events: write + pull-requests: write + + strategy: + fail-fast: false + matrix: + languages: ['swift'] + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.languages }} + queries: security-extended + + # Autobuild attempts to build Swift projects automatically. + # For iOS projects, it will try to build the biggest target from your Xcode project/workspace. + # If autobuild fails, you can replace this step with manual build commands. + # For faster builds, consider targeting a single architecture (e.g., ARCH=arm64). + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + + - name: CodeQL Analyze + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.languages }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..8e9e6a6d --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,79 @@ +# Dependency Review Action + +# PRs introducing NEW known-vulnerable packages will be blocked from merging. +# This will output a GHAS comment in the PR with the details of the vulnerabilities. +# and will also provide a comment on what to do next. + +# IMPORTANT: This action natively supports Swift Package Manager (SPM) dependencies via Package.resolved files. +# CocoaPods dependencies are tracked separately via the cocoapods-dependency-submission workflow. +# Note: GitHub's Security Advisory Database has limited CocoaPods vulnerability data. + +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: "Dependency review" +on: + pull_request: + branches: ["dev"] + +permissions: + contents: read + pull-requests: write # Required for PR comments + +jobs: + dependency-review: + runs-on: ubuntu-latest + outputs: + vulnerable-changes: ${{ steps.review.outputs.vulnerable-changes }} + steps: + - name: "Checkout repository" + uses: actions/checkout@v6 + - name: "Dependency Review" + id: review + uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: always + fail-on-severity: moderate + #allow-ghsas: GHSA-q34m-jh98-gwm2,GHSA-f9vj-2wh5-fj8j EXAMPLE of how to whitelist! + + dependency-review-failure-info: + needs: dependency-review + if: failure() + runs-on: ubuntu-latest + steps: + - name: Add PR Comment + uses: actions/github-script@v8 + env: + VULN_OUTPUT: ${{ needs.dependency-review.outputs.vulnerable-changes }} + with: + script: | + try { + const vulnData = JSON.parse(process.env.VULN_OUTPUT || '[]'); + let details = ''; + + for (const pkg of vulnData) { + details += `\n📦 **${pkg.name}@${pkg.version}**\n`; + } + + const comment = `⚠️ **Security Dependency Review Failed** ⚠️ + + This pull request introduces dependencies with security vulnerabilities of moderate severity or higher. + + ### Vulnerable Dependencies:${details} + + ### What to do next? + 1. Review the vulnerability details in the Dependency Review comment above, specifically the "Vulnerabilities" section + 2. Click on the links in the "Vulnerability" section to see the details of the vulnerability + 3. If multiple versions of the same package are vulnerable, please update to the common latest non-vulnerable version + 4. If you are unsure about the vulnerability, please contact the security engineer + 5. If the vulnerability cannot be avoided (can't upgrade, or need to keep), contact #security on slack to **get it added to the allowlist** + \nSecurity Engineering contact: #security on slack`; + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: comment + }); + } catch (error) { + console.error('Error processing vulnerability data:', error); + throw error; + } From deca9a871b3edf874ae74b22565b279edd5e2d41 Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Thu, 18 Dec 2025 14:15:35 -0800 Subject: [PATCH 2/7] Updates to branch --- .github/workflows/code-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 6bca5b70..40dc5296 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -2,10 +2,10 @@ name: "CodeQL Analysis" on: push: branches: - - dev + - main pull_request: branches: - - dev + - main schedule: - cron: '0 0 * * *' diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8e9e6a6d..9433ea1a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,7 +12,7 @@ name: "Dependency review" on: pull_request: - branches: ["dev"] + branches: ["main"] permissions: contents: read From 84795d096b7a3a2ac6c5a7a0cd9854c4926a0972 Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Fri, 19 Dec 2025 11:19:51 -0800 Subject: [PATCH 3/7] Fix checkout action version and enable dev & main branch scanning --- .github/workflows/code-analysis.yml | 4 +++- .github/workflows/dependency-review.yml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 40dc5296..5394278d 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -3,9 +3,11 @@ on: push: branches: - main + - dev pull_request: branches: - main + - dev schedule: - cron: '0 0 * * *' @@ -26,7 +28,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9433ea1a..929ad1bf 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,7 +12,7 @@ name: "Dependency review" on: pull_request: - branches: ["main"] + branches: ["main", "dev"] permissions: contents: read @@ -25,7 +25,7 @@ jobs: vulnerable-changes: ${{ steps.review.outputs.vulnerable-changes }} steps: - name: "Checkout repository" - uses: actions/checkout@v6 + uses: actions/checkout@v4 - name: "Dependency Review" id: review uses: actions/dependency-review-action@v4 From eaf200cbaaa07822385a32e0b39cf0905cc55a32 Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Tue, 23 Dec 2025 10:13:04 -0800 Subject: [PATCH 4/7] Fix CodeQL autobuild with custom build steps --- .github/workflows/code-analysis.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 5394278d..1add299a 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -36,12 +36,26 @@ jobs: languages: ${{ matrix.languages }} queries: security-extended - # Autobuild attempts to build Swift projects automatically. - # For iOS projects, it will try to build the biggest target from your Xcode project/workspace. - # If autobuild fails, you can replace this step with manual build commands. - # For faster builds, consider targeting a single architecture (e.g., ARCH=arm64). - - name: Autobuild - uses: github/codeql-action/autobuild@v4 + # Install CocoaPods dependencies + - name: Install dependencies + run: | + sudo gem install cocoapods + pod install --repo-update + + # Manual build for CodeQL analysis + # Building for a single architecture (arm64) to speed up the build + - name: Build + run: | + xcodebuild clean build \ + -workspace FRW.xcworkspace \ + -scheme FlowWallet \ + -destination 'generic/platform=iOS' \ + -arch arm64 \ + CODE_SIGNING_ALLOWED=NO \ + CODE_SIGNING_REQUIRED=NO \ + CODE_SIGN_IDENTITY="" \ + CODE_SIGN_ENTITLEMENTS="" \ + ONLY_ACTIVE_ARCH=YES - name: CodeQL Analyze uses: github/codeql-action/analyze@v4 From 3779038e2a0a467e46b63c2bbf4bc3c3b83be65a Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Tue, 23 Dec 2025 10:34:33 -0800 Subject: [PATCH 5/7] Simplify CodeQL build to use xcodeproj instead of workspace --- .github/workflows/code-analysis.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 1add299a..63c45594 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -36,18 +36,13 @@ jobs: languages: ${{ matrix.languages }} queries: security-extended - # Install CocoaPods dependencies - - name: Install dependencies - run: | - sudo gem install cocoapods - pod install --repo-update - # Manual build for CodeQL analysis + # Building from .xcodeproj to avoid CocoaPods/React Native setup complexity # Building for a single architecture (arm64) to speed up the build - name: Build run: | xcodebuild clean build \ - -workspace FRW.xcworkspace \ + -project FRW.xcodeproj \ -scheme FlowWallet \ -destination 'generic/platform=iOS' \ -arch arm64 \ From a8009bf61640b4cfeb1e1eac9fa58fc899dd55fb Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Tue, 23 Dec 2025 13:13:19 -0800 Subject: [PATCH 6/7] Fix xcodebuild architecture conflict in CodeQL workflow --- .github/workflows/code-analysis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 63c45594..cf8b6c9f 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -38,14 +38,12 @@ jobs: # Manual build for CodeQL analysis # Building from .xcodeproj to avoid CocoaPods/React Native setup complexity - # Building for a single architecture (arm64) to speed up the build - name: Build run: | xcodebuild clean build \ -project FRW.xcodeproj \ -scheme FlowWallet \ -destination 'generic/platform=iOS' \ - -arch arm64 \ CODE_SIGNING_ALLOWED=NO \ CODE_SIGNING_REQUIRED=NO \ CODE_SIGN_IDENTITY="" \ From 551d0afc06840597448f63d91560f5f5108aef9f Mon Sep 17 00:00:00 2001 From: Justin Golanowski Date: Tue, 23 Dec 2025 14:05:16 -0800 Subject: [PATCH 7/7] Temporarily disable CodeQL workflow --- .../workflows/{code-analysis.yml => code-analysis.yml.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{code-analysis.yml => code-analysis.yml.disabled} (100%) diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml.disabled similarity index 100% rename from .github/workflows/code-analysis.yml rename to .github/workflows/code-analysis.yml.disabled