onflow · lmcmz · Jan 1, 2026 · Dec 18, 2025 · Dec 18, 2025 · Dec 19, 2025
@@ -0,0 +1,56 @@
+name: "CodeQL Analysis"
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  analyze-code:
+    runs-on: macos-latest
+    timeout-minutes: 60
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      pull-requests: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        languages: ['swift']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.languages }}
+          queries: security-extended
+
+      # Manual build for CodeQL analysis
+      # Building from .xcodeproj to avoid CocoaPods/React Native setup complexity
+      - name: Build
+        run: |
+          xcodebuild clean build \
+            -project FRW.xcodeproj \
+            -scheme FlowWallet \
+            -destination 'generic/platform=iOS' \
+            CODE_SIGNING_ALLOWED=NO \
+            CODE_SIGNING_REQUIRED=NO \
+            CODE_SIGN_IDENTITY="" \
+            CODE_SIGN_ENTITLEMENTS="" \
+            ONLY_ACTIVE_ARCH=YES
+
+      - name: CodeQL Analyze
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.languages }}"
@@ -0,0 +1,79 @@
+# Dependency Review Action
+
+# PRs introducing NEW known-vulnerable packages will be blocked from merging.
+# This will output a GHAS comment in the PR with the details of the vulnerabilities.
+# and will also provide a comment on what to do next.
+
+# IMPORTANT: This action natively supports Swift Package Manager (SPM) dependencies via Package.resolved files.
+# CocoaPods dependencies are tracked separately via the cocoapods-dependency-submission workflow.
+# Note: GitHub's Security Advisory Database has limited CocoaPods vulnerability data.
+
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: "Dependency review"
+on:
+  pull_request:
+    branches: ["main", "dev"]
+
+permissions:
+  contents: read
+  pull-requests: write # Required for PR comments
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    outputs:
+      vulnerable-changes: ${{ steps.review.outputs.vulnerable-changes }}
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+      - name: "Dependency Review"
+        id: review
+        uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: moderate
+          #allow-ghsas: GHSA-q34m-jh98-gwm2,GHSA-f9vj-2wh5-fj8j  EXAMPLE of how to whitelist!
+
+  dependency-review-failure-info:
+    needs: dependency-review
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Add PR Comment
+        uses: actions/github-script@v8
+        env:
+          VULN_OUTPUT: ${{ needs.dependency-review.outputs.vulnerable-changes }}
+        with:
+          script: |
+            try {
+              const vulnData = JSON.parse(process.env.VULN_OUTPUT || '[]');
+              let details = '';
+
+              for (const pkg of vulnData) {
+                details += `\n📦 **${pkg.name}@${pkg.version}**\n`;
+              }
+
+              const comment = `⚠️ **Security Dependency Review Failed** ⚠️
+
+              This pull request introduces dependencies with security vulnerabilities of moderate severity or higher.
+
+              ### Vulnerable Dependencies:${details}
+
+              ### What to do next?
+              1. Review the vulnerability details in the Dependency Review comment above, specifically the "Vulnerabilities" section
+              2. Click on the links in the "Vulnerability" section to see the details of the vulnerability
+              3. If multiple versions of the same package are vulnerable, please update to the common latest non-vulnerable version
+              4. If you are unsure about the vulnerability, please contact the security engineer
+              5. If the vulnerability cannot be avoided (can't upgrade, or need to keep), contact #security on slack to **get it added to the allowlist**
+              \nSecurity Engineering contact: #security on slack`;
+
+              await github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: comment
+              });
+            } catch (error) {
+              console.error('Error processing vulnerability data:', error);
+              throw error;
+            }