From ec21c3ee9c0be76468bea9a23a259987da0a1d05 Mon Sep 17 00:00:00 2001 From: witmicko Date: Wed, 26 Nov 2025 16:07:27 +0000 Subject: [PATCH 01/12] fix root changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 958a717..d636a17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Updated language detector to add Github Actions support by default +### Fixed + +- Fix incorrect language selection based on repo config ([#63](https://github.com/MetaMask/action-security-code-scanner/pull/63)) + ## [2.0.1] ### Fixed From 89f2c4e8d36ef9f3576827f52751b3ce47bfd1fd Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 2 Dec 2025 07:32:24 +0000 Subject: [PATCH 02/12] feat: add onboarding automation for new repos --- .github/templates/README.md | 38 ++++++ .../templates/onboarding-pr-body-automated.md | 51 ++++++++ .../templates/onboarding-pr-body-manual.md | 70 +++++++++++ .github/workflows/onboard-new-repo.yml | 113 ++++++++++++++++++ examples/security-code-scanner.yml | 51 ++++++++ 5 files changed, 323 insertions(+) create mode 100644 .github/templates/README.md create mode 100644 .github/templates/onboarding-pr-body-automated.md create mode 100644 .github/templates/onboarding-pr-body-manual.md create mode 100644 .github/workflows/onboard-new-repo.yml create mode 100644 examples/security-code-scanner.yml diff --git a/.github/templates/README.md b/.github/templates/README.md new file mode 100644 index 0000000..3e3859e --- /dev/null +++ b/.github/templates/README.md @@ -0,0 +1,38 @@ +# PR Body Templates + +This directory contains templates for onboarding PRs that add the Security Code Scanner to repositories. + +## Templates + +### `onboarding-pr-body-manual.md` +**Use for:** Manual PRs created by the security team + +- More detailed with full language configuration examples +- Includes code snippets for common scenarios +- Comprehensive documentation +- No auto-merge disclaimer + +### `onboarding-pr-body-automated.md` +**Use for:** Automated PRs created by workflows + +- Shorter, more concise +- Includes auto-merge warning at the top +- Links to README for detailed configuration +- Used by `.github/workflows/onboard-new-repo.yml` + +## Variables + +Both templates support variable substitution: + +- `{{SECURITY_SCANNING_URL}}` - Repository-specific code scanning alerts URL + +## Usage + +**Manual PRs:** +```bash +# Copy and paste from onboarding-pr-body-manual.md +# Replace {{SECURITY_SCANNING_URL}} with actual URL +``` + +**Automated workflow:** +The workflow automatically reads `onboarding-pr-body-automated.md` and substitutes variables. diff --git a/.github/templates/onboarding-pr-body-automated.md b/.github/templates/onboarding-pr-body-automated.md new file mode 100644 index 0000000..e1455fe --- /dev/null +++ b/.github/templates/onboarding-pr-body-automated.md @@ -0,0 +1,51 @@ +## ⚠️ Important Notice - Action Required + +**This PR may be auto-merged in the future if not configured.** + +If your team does not need the security scanner: +- Please **close this PR** and add a comment explaining why +- Consider adding a `.github/no-security-scanner` file to opt-out permanently + +If you need the scanner but want to customize it: +- Complete the checklist below +- Review and modify the workflow file as needed +- Approve and merge this PR when ready + +If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories. + +--- + +## Required Action + +Prior to merging this pull request, please ensure the following has been completed: +- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`). +- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup)) +- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below) +- [ ] Any existing CodeQL configuration has been disabled. + +## What is the Security Code Scanner? + +This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}). + +Security Scanner Screenshot + +The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have. + +## How do I interact with the tool? + +Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it. + +The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules. + +Alert Dismissal Screenshot + +## Configuration + +The scanner auto-detects languages in your repository. If you need to customize settings (ignore falsely detected languages, add Java/Kotlin build commands), please review the `languages-config` section in the workflow file. + +For detailed configuration examples and options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). + +For any questions, please reach out to `@app-sec` in Slack. + +--- +🤖 *This PR was automatically created by the MetaMask Security onboarding system* diff --git a/.github/templates/onboarding-pr-body-manual.md b/.github/templates/onboarding-pr-body-manual.md new file mode 100644 index 0000000..dac5beb --- /dev/null +++ b/.github/templates/onboarding-pr-body-manual.md @@ -0,0 +1,70 @@ +## Required Action + +Prior to merging this pull request, please ensure the following has been completed: +- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`). +- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup)) +- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below) +- [ ] Any existing CodeQL configuration has been disabled. + +## What is the Security Code Scanner? + +This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}). + +Screenshot 2024-02-12 at 9 19 05 PM + +The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have. + +## How do I interact with the tool? + +Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it. + +The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules. + +Screenshot 2024-02-12 at 8 41 46 PM + +## Configuration + +### Language Configuration + +The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the `languages-config` section in the workflow file. + +**Common use cases:** + +1. **Ignore falsely detected languages:** + ```yaml + languages-config: | + [ + { + "language": "ruby", + "ignore": true + } + ] + ``` + +2. **Configure Java/Kotlin builds:** + ```yaml + languages-config: | + [ + { + "language": "java-kotlin", + "build_mode": "manual", + "build_command": "./gradlew build", + "version": "21", + "distribution": "temurin" + } + ] + ``` + +**Supported languages:** `javascript-typescript`, `python`, `java-kotlin`, `go`, `cpp`, `csharp`, `ruby` + +**Build modes:** `none`, `autobuild`, `manual` + +### Additional Configuration + +For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). + +Optional secrets that can be configured: +- `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection +- `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications + +For any additional questions, please reach out to `@app-sec` in Slack. diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml new file mode 100644 index 0000000..7064f62 --- /dev/null +++ b/.github/workflows/onboard-new-repo.yml @@ -0,0 +1,113 @@ +name: 'Onboard New Repository with SAST' + +on: + workflow_dispatch: + inputs: + repository: + description: 'Repository to onboard (format: owner/repo)' + required: true + type: string + base_branch: + description: 'Base branch to create PR against' + required: false + default: 'main' + type: string + repository_dispatch: + types: [new_repository_created] + +jobs: + create-sast-pr: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout scanner action repository + uses: actions/checkout@v4 + with: + path: scanner-repo + + - name: Determine target repository + id: target + run: | + if [ "${{ github.event_name }}" = "repository_dispatch" ]; then + echo "repository=${{ github.event.client_payload.repository }}" >> $GITHUB_OUTPUT + echo "base_branch=${{ github.event.client_payload.base_branch || 'main' }}" >> $GITHUB_OUTPUT + else + echo "repository=${{ inputs.repository }}" >> $GITHUB_OUTPUT + echo "base_branch=${{ inputs.base_branch }}" >> $GITHUB_OUTPUT + fi + shell: bash + + - name: Checkout target repository + uses: actions/checkout@v4 + with: + repository: ${{ steps.target.outputs.repository }} + token: ${{ secrets.GITHUB_TOKEN }} + path: target-repo + ref: ${{ steps.target.outputs.base_branch }} + + - name: Create branch and add SAST workflow + working-directory: target-repo + run: | + git config user.name "MetaMask Security Bot" + git config user.email "security-bot@metamask.io" + + BRANCH_NAME="security/add-sast-scanner" + git checkout -b "$BRANCH_NAME" + + # Create .github/workflows directory if it doesn't exist + mkdir -p .github/workflows + + # Copy the security scanner workflow template + cp ../scanner-repo/examples/security-code-scanner.yml .github/workflows/security-code-scanner.yml + + git add .github/workflows/security-code-scanner.yml + git commit -m "chore: add MetaMask Security Code Scanner workflow + +This PR adds the MetaMask Security Code Scanner workflow to enable +automated security scanning of the codebase. + +The scanner will run on: +- Push to main branch +- Pull requests to main branch +- Manual workflow dispatch + +To configure the scanner for your repository's specific needs, +please review the workflow file and adjust as necessary." + + git push origin "$BRANCH_NAME" + shell: bash + + - name: Create Pull Request + working-directory: target-repo + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO_NAME: ${{ steps.target.outputs.repository }} + run: | + # Extract owner and repo name for URL construction + OWNER=$(echo "$REPO_NAME" | cut -d'/' -f1) + REPO=$(echo "$REPO_NAME" | cut -d'/' -f2) + BASE_BRANCH="${{ steps.target.outputs.base_branch }}" + SECURITY_URL="https://github.com/${OWNER}/${REPO}/security/code-scanning" + + # Read PR body template and substitute variables + PR_BODY=$(cat ../scanner-repo/.github/templates/onboarding-pr-body-automated.md) + PR_BODY="${PR_BODY//\{\{SECURITY_SCANNING_URL\}\}/$SECURITY_URL}" + + gh pr create \ + --title "🔒 Add MetaMask Security Code Scanner" \ + --body "$PR_BODY" \ + --base "$BASE_BRANCH" \ + --head "security/add-sast-scanner" + shell: bash + + - name: Output PR URL + working-directory: target-repo + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + PR_URL=$(gh pr view security/add-sast-scanner --json url -q .url) + echo "✅ Pull Request created: $PR_URL" + echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT + shell: bash diff --git a/examples/security-code-scanner.yml b/examples/security-code-scanner.yml new file mode 100644 index 0000000..dd9746e --- /dev/null +++ b/examples/security-code-scanner.yml @@ -0,0 +1,51 @@ +name: MetaMask Security Code Scanner + +on: + push: + branches: + - main + pull_request: + branches: + - main + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false + workflow_dispatch: + +jobs: + security-scan: + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + permissions: + actions: read + contents: read + security-events: write + with: + repo: ${{ github.repository }} + scanner-ref: 'v2' + paths-ignored: | + node_modules + **/node_modules/** + **/__snapshots__/ + __snapshots_linux__ + **/__stories__/ + .storybook/ + **/*.test.ts + **/*.test.tsx + **/*.test.js + **/*.test.jsx + **/*.spec.ts + **/*.spec.tsx + **/*.spec.js + **/*.spec.jsx + **/test*/** + **/e2e/** + **/tests/** + languages-config: | + [ + ] + secrets: + project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} From ad24efa8c9b6fdd4e930572664a5673b7cd516b6 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 10:02:39 +0000 Subject: [PATCH 03/12] update pr template --- .../templates/onboarding-pr-body-automated.md | 50 +++++++++++-- .../templates/onboarding-pr-body-manual.md | 70 ------------------- 2 files changed, 45 insertions(+), 75 deletions(-) delete mode 100644 .github/templates/onboarding-pr-body-manual.md diff --git a/.github/templates/onboarding-pr-body-automated.md b/.github/templates/onboarding-pr-body-automated.md index e1455fe..002cf85 100644 --- a/.github/templates/onboarding-pr-body-automated.md +++ b/.github/templates/onboarding-pr-body-automated.md @@ -3,8 +3,9 @@ **This PR may be auto-merged in the future if not configured.** If your team does not need the security scanner: -- Please **close this PR** and add a comment explaining why -- Consider adding a `.github/no-security-scanner` file to opt-out permanently +- **Add a comment on this PR** explaining why your team is opting out +- **Close this PR** to prevent auto-merge +- **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts If you need the scanner but want to customize it: - Complete the checklist below @@ -41,11 +42,50 @@ The finding will automatically be dismissed by pushing a commit that fixes the i ## Configuration -The scanner auto-detects languages in your repository. If you need to customize settings (ignore falsely detected languages, add Java/Kotlin build commands), please review the `languages-config` section in the workflow file. +### Language Configuration -For detailed configuration examples and options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). +The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the `languages-config` section in the workflow file. -For any questions, please reach out to `@app-sec` in Slack. +**Common use cases:** + +1. **Ignore falsely detected languages:** + ```yaml + languages-config: | + [ + { + "language": "ruby", + "ignore": true + } + ] + ``` + +2. **Configure Java/Kotlin builds:** + ```yaml + languages-config: | + [ + { + "language": "java-kotlin", + "build_mode": "manual", + "build_command": "./gradlew build", + "version": "21", + "distribution": "temurin" + } + ] + ``` + +**Supported languages:** `javascript-typescript`, `python`, `java-kotlin`, `go`, `cpp`, `csharp`, `ruby` + +**Build modes:** `none`, `autobuild`, `manual` + +### Additional Configuration + +For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). + +Optional secrets that can be configured: +- `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection +- `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications + +For any additional questions, please reach out to `@app-sec` in Slack. --- 🤖 *This PR was automatically created by the MetaMask Security onboarding system* diff --git a/.github/templates/onboarding-pr-body-manual.md b/.github/templates/onboarding-pr-body-manual.md deleted file mode 100644 index dac5beb..0000000 --- a/.github/templates/onboarding-pr-body-manual.md +++ /dev/null @@ -1,70 +0,0 @@ -## Required Action - -Prior to merging this pull request, please ensure the following has been completed: -- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`). -- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup)) -- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below) -- [ ] Any existing CodeQL configuration has been disabled. - -## What is the Security Code Scanner? - -This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}). - -Screenshot 2024-02-12 at 9 19 05 PM - -The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have. - -## How do I interact with the tool? - -Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it. - -The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules. - -Screenshot 2024-02-12 at 8 41 46 PM - -## Configuration - -### Language Configuration - -The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the `languages-config` section in the workflow file. - -**Common use cases:** - -1. **Ignore falsely detected languages:** - ```yaml - languages-config: | - [ - { - "language": "ruby", - "ignore": true - } - ] - ``` - -2. **Configure Java/Kotlin builds:** - ```yaml - languages-config: | - [ - { - "language": "java-kotlin", - "build_mode": "manual", - "build_command": "./gradlew build", - "version": "21", - "distribution": "temurin" - } - ] - ``` - -**Supported languages:** `javascript-typescript`, `python`, `java-kotlin`, `go`, `cpp`, `csharp`, `ruby` - -**Build modes:** `none`, `autobuild`, `manual` - -### Additional Configuration - -For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). - -Optional secrets that can be configured: -- `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection -- `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications - -For any additional questions, please reach out to `@app-sec` in Slack. From e283983287f216b9b4fbb182ef50f9e525b790c1 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 11:26:11 +0000 Subject: [PATCH 04/12] ci: update build command for codeql --- .../templates/onboarding-pr-body-automated.md | 16 +++---- .github/workflows/onboard-new-repo.yml | 42 +++++++++++-------- 2 files changed, 33 insertions(+), 25 deletions(-) diff --git a/.github/templates/onboarding-pr-body-automated.md b/.github/templates/onboarding-pr-body-automated.md index 002cf85..078d16b 100644 --- a/.github/templates/onboarding-pr-body-automated.md +++ b/.github/templates/onboarding-pr-body-automated.md @@ -3,14 +3,14 @@ **This PR may be auto-merged in the future if not configured.** If your team does not need the security scanner: -- **Add a comment on this PR** explaining why your team is opting out -- **Close this PR** to prevent auto-merge -- **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts +1. **Add a comment on this PR** explaining why your team is opting out +2. **Close this PR** to prevent auto-merge +3. **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts If you need the scanner but want to customize it: -- Complete the checklist below -- Review and modify the workflow file as needed -- Approve and merge this PR when ready +1. Complete the checklist below +2. Review and modify the workflow file as needed +3. Approve and merge this PR when ready If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories. @@ -19,7 +19,7 @@ If no action is taken, this PR may be automatically merged after a grace period ## Required Action Prior to merging this pull request, please ensure the following has been completed: -- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`). +- [ ] The lines specifying `branches` correctly specify this repository's default branch (usually `main` or `master`). - [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup)) - [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below) - [ ] Any existing CodeQL configuration has been disabled. @@ -49,6 +49,7 @@ The scanner auto-detects languages in your repository. If you need to customize **Common use cases:** 1. **Ignore falsely detected languages:** + ```yaml languages-config: | [ @@ -60,6 +61,7 @@ The scanner auto-detects languages in your repository. If you need to customize ``` 2. **Configure Java/Kotlin builds:** + ```yaml languages-config: | [ diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 7064f62..347de8c 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -4,14 +4,9 @@ on: workflow_dispatch: inputs: repository: - description: 'Repository to onboard (format: owner/repo)' + description: 'Repository to onboard (format: owner/repo, e.g., MetaMask/snaps)' required: true type: string - base_branch: - description: 'Base branch to create PR against' - required: false - default: 'main' - type: string repository_dispatch: types: [new_repository_created] @@ -31,13 +26,24 @@ jobs: id: target run: | if [ "${{ github.event_name }}" = "repository_dispatch" ]; then - echo "repository=${{ github.event.client_payload.repository }}" >> $GITHUB_OUTPUT - echo "base_branch=${{ github.event.client_payload.base_branch || 'main' }}" >> $GITHUB_OUTPUT + REPO="${{ github.event.client_payload.repository }}" + BASE_BRANCH="${{ github.event.client_payload.base_branch }}" else - echo "repository=${{ inputs.repository }}" >> $GITHUB_OUTPUT - echo "base_branch=${{ inputs.base_branch }}" >> $GITHUB_OUTPUT + REPO="${{ inputs.repository }}" + BASE_BRANCH="" + fi + + # If base_branch is not set, detect it from the repository + if [ -z "$BASE_BRANCH" ]; then + echo "Detecting default branch for $REPO..." + BASE_BRANCH=$(gh api repos/$REPO --jq '.default_branch') fi + + echo "repository=$REPO" >> $GITHUB_OUTPUT + echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT shell: bash + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout target repository uses: actions/checkout@v4 @@ -65,16 +71,16 @@ jobs: git add .github/workflows/security-code-scanner.yml git commit -m "chore: add MetaMask Security Code Scanner workflow -This PR adds the MetaMask Security Code Scanner workflow to enable -automated security scanning of the codebase. + This PR adds the MetaMask Security Code Scanner workflow to enable + automated security scanning of the codebase. -The scanner will run on: -- Push to main branch -- Pull requests to main branch -- Manual workflow dispatch + The scanner will run on: + - Push to main branch + - Pull requests to main branch + - Manual workflow dispatch -To configure the scanner for your repository's specific needs, -please review the workflow file and adjust as necessary." + To configure the scanner for your repository's specific needs, + please review the workflow file and adjust as necessary." git push origin "$BRANCH_NAME" shell: bash From acbbe22acdf5ca2d7156e8128e7feaaaf5cbe195 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 11:55:04 +0000 Subject: [PATCH 05/12] update inputs handlign --- .github/workflows/onboard-new-repo.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 347de8c..aeb9558 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -3,8 +3,12 @@ name: 'Onboard New Repository with SAST' on: workflow_dispatch: inputs: + organization: + description: 'Organization name (e.g., MetaMask)' + required: true + type: string repository: - description: 'Repository to onboard (format: owner/repo, e.g., MetaMask/snaps)' + description: 'Repository name (e.g., snaps)' required: true type: string repository_dispatch: @@ -26,10 +30,12 @@ jobs: id: target run: | if [ "${{ github.event_name }}" = "repository_dispatch" ]; then - REPO="${{ github.event.client_payload.repository }}" + ORG="${{ github.event.client_payload.organization }}" + REPO_NAME="${{ github.event.client_payload.repository }}" + REPO="$ORG/$REPO_NAME" BASE_BRANCH="${{ github.event.client_payload.base_branch }}" else - REPO="${{ inputs.repository }}" + REPO="${{ inputs.organization }}/${{ inputs.repository }}" BASE_BRANCH="" fi From 10735dd5d6900399cce2edc4f11015d970cd9280 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 12:06:49 +0000 Subject: [PATCH 06/12] gh token fi --- .github/workflows/onboard-new-repo.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index aeb9558..c06d64e 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -49,13 +49,13 @@ jobs: echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT shell: bash env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} - name: Checkout target repository uses: actions/checkout@v4 with: repository: ${{ steps.target.outputs.repository }} - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.ONBOARDING_TOKEN }} path: target-repo ref: ${{ steps.target.outputs.base_branch }} @@ -94,7 +94,7 @@ jobs: - name: Create Pull Request working-directory: target-repo env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} REPO_NAME: ${{ steps.target.outputs.repository }} run: | # Extract owner and repo name for URL construction @@ -117,7 +117,7 @@ jobs: - name: Output PR URL working-directory: target-repo env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} run: | PR_URL=$(gh pr view security/add-sast-scanner --json url -q .url) echo "✅ Pull Request created: $PR_URL" From 8f971de4040076737952a464f0f86c617be0f10c Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 12:17:57 +0000 Subject: [PATCH 07/12] actionlint fix --- .github/workflows/onboard-new-repo.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index c06d64e..c699424 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -42,11 +42,11 @@ jobs: # If base_branch is not set, detect it from the repository if [ -z "$BASE_BRANCH" ]; then echo "Detecting default branch for $REPO..." - BASE_BRANCH=$(gh api repos/$REPO --jq '.default_branch') + BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch') fi - echo "repository=$REPO" >> $GITHUB_OUTPUT - echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT + echo "repository=$REPO" >> "$GITHUB_OUTPUT" + echo "base_branch=$BASE_BRANCH" >> "$GITHUB_OUTPUT" shell: bash env: GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} @@ -121,5 +121,5 @@ jobs: run: | PR_URL=$(gh pr view security/add-sast-scanner --json url -q .url) echo "✅ Pull Request created: $PR_URL" - echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT + echo "PR_URL=$PR_URL" >> "$GITHUB_OUTPUT" shell: bash From 27e6a8321b2db564983e3b9a0358c3d33d049852 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 12:32:45 +0000 Subject: [PATCH 08/12] update branach handling move action file to templates --- .github/templates/README.md | 3 ++ .../templates/onboarding-pr-body-automated.md | 7 ++- .github/templates/security-code-scanner.yml | 51 +++++++++++++++++++ .github/workflows/onboard-new-repo.yml | 17 +++---- examples/security-code-scanner.yml | 4 +- 5 files changed, 70 insertions(+), 12 deletions(-) create mode 100644 .github/templates/security-code-scanner.yml diff --git a/.github/templates/README.md b/.github/templates/README.md index 3e3859e..c3407fc 100644 --- a/.github/templates/README.md +++ b/.github/templates/README.md @@ -5,6 +5,7 @@ This directory contains templates for onboarding PRs that add the Security Code ## Templates ### `onboarding-pr-body-manual.md` + **Use for:** Manual PRs created by the security team - More detailed with full language configuration examples @@ -13,6 +14,7 @@ This directory contains templates for onboarding PRs that add the Security Code - No auto-merge disclaimer ### `onboarding-pr-body-automated.md` + **Use for:** Automated PRs created by workflows - Shorter, more concise @@ -29,6 +31,7 @@ Both templates support variable substitution: ## Usage **Manual PRs:** + ```bash # Copy and paste from onboarding-pr-body-manual.md # Replace {{SECURITY_SCANNING_URL}} with actual URL diff --git a/.github/templates/onboarding-pr-body-automated.md b/.github/templates/onboarding-pr-body-automated.md index 078d16b..d160288 100644 --- a/.github/templates/onboarding-pr-body-automated.md +++ b/.github/templates/onboarding-pr-body-automated.md @@ -3,11 +3,13 @@ **This PR may be auto-merged in the future if not configured.** If your team does not need the security scanner: + 1. **Add a comment on this PR** explaining why your team is opting out 2. **Close this PR** to prevent auto-merge 3. **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts If you need the scanner but want to customize it: + 1. Complete the checklist below 2. Review and modify the workflow file as needed 3. Approve and merge this PR when ready @@ -19,6 +21,7 @@ If no action is taken, this PR may be automatically merged after a grace period ## Required Action Prior to merging this pull request, please ensure the following has been completed: + - [ ] The lines specifying `branches` correctly specify this repository's default branch (usually `main` or `master`). - [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup)) - [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below) @@ -84,10 +87,12 @@ The scanner auto-detects languages in your repository. If you need to customize For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md). Optional secrets that can be configured: + - `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection - `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications For any additional questions, please reach out to `@app-sec` in Slack. --- -🤖 *This PR was automatically created by the MetaMask Security onboarding system* + +🤖 _This PR was automatically created by the MetaMask Security onboarding system_ diff --git a/.github/templates/security-code-scanner.yml b/.github/templates/security-code-scanner.yml new file mode 100644 index 0000000..3409974 --- /dev/null +++ b/.github/templates/security-code-scanner.yml @@ -0,0 +1,51 @@ +name: MetaMask Security Code Scanner + +on: + push: + branches: + - { DEFAULT_BRANCH } + pull_request: + branches: + - { DEFAULT_BRANCH } + workflow_call: + secrets: + SECURITY_SCAN_METRICS_TOKEN: + required: false + APPSEC_BOT_SLACK_WEBHOOK: + required: false + workflow_dispatch: + +jobs: + security-scan: + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + permissions: + actions: read + contents: read + security-events: write + with: + repo: ${{ github.repository }} + scanner-ref: 'v2' + paths-ignored: | + node_modules + **/node_modules/** + **/__snapshots__/** + __snapshots_linux__ + **/__stories__/** + .storybook/ + **/*.test.ts + **/*.test.tsx + **/*.test.js + **/*.test.jsx + **/*.spec.ts + **/*.spec.tsx + **/*.spec.js + **/*.spec.jsx + **/test*/** + **/e2e/** + **/tests/** + languages-config: | + [ + ] + secrets: + project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }} + slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }} diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index c699424..9e771d9 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -33,17 +33,13 @@ jobs: ORG="${{ github.event.client_payload.organization }}" REPO_NAME="${{ github.event.client_payload.repository }}" REPO="$ORG/$REPO_NAME" - BASE_BRANCH="${{ github.event.client_payload.base_branch }}" else REPO="${{ inputs.organization }}/${{ inputs.repository }}" - BASE_BRANCH="" fi - # If base_branch is not set, detect it from the repository - if [ -z "$BASE_BRANCH" ]; then - echo "Detecting default branch for $REPO..." - BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch') - fi + # Auto-detect default branch from the repository + echo "Detecting default branch for $REPO..." + BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch') echo "repository=$REPO" >> "$GITHUB_OUTPUT" echo "base_branch=$BASE_BRANCH" >> "$GITHUB_OUTPUT" @@ -71,8 +67,11 @@ jobs: # Create .github/workflows directory if it doesn't exist mkdir -p .github/workflows - # Copy the security scanner workflow template - cp ../scanner-repo/examples/security-code-scanner.yml .github/workflows/security-code-scanner.yml + # Copy the security scanner workflow template and replace placeholders + BASE_BRANCH="${{ steps.target.outputs.base_branch }}" + sed "s/{ DEFAULT_BRANCH }/$BASE_BRANCH/g" \ + ../scanner-repo/.github/templates/security-code-scanner.yml \ + > .github/workflows/security-code-scanner.yml git add .github/workflows/security-code-scanner.yml git commit -m "chore: add MetaMask Security Code Scanner workflow diff --git a/examples/security-code-scanner.yml b/examples/security-code-scanner.yml index dd9746e..b7cd907 100644 --- a/examples/security-code-scanner.yml +++ b/examples/security-code-scanner.yml @@ -28,9 +28,9 @@ jobs: paths-ignored: | node_modules **/node_modules/** - **/__snapshots__/ + **/__snapshots__/** __snapshots_linux__ - **/__stories__/ + **/__stories__/** .storybook/ **/*.test.ts **/*.test.tsx From ecc9d0af3d7cc2e051059f745971f9e752abaebf Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 13:55:12 +0000 Subject: [PATCH 09/12] default to main on empty repo --- .github/workflows/onboard-new-repo.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 9e771d9..ba15505 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -39,7 +39,13 @@ jobs: # Auto-detect default branch from the repository echo "Detecting default branch for $REPO..." - BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch') + BASE_BRANCH=$(gh api "repos/$REPO" --jq '.default_branch' 2>/dev/null || echo "") + + # If repo is empty or API call failed, default to 'main' + if [ -z "$BASE_BRANCH" ] || [ "$BASE_BRANCH" = "null" ]; then + echo "Repository is empty or default branch not found. Defaulting to 'main'" + BASE_BRANCH="main" + fi echo "repository=$REPO" >> "$GITHUB_OUTPUT" echo "base_branch=$BASE_BRANCH" >> "$GITHUB_OUTPUT" From ae1d8e42d9522584e53b2d6fa960a2eade0f1744 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 14:00:14 +0000 Subject: [PATCH 10/12] fix empty repo runs --- .github/workflows/onboard-new-repo.yml | 62 +++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 6 deletions(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index ba15505..9d3889c 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -53,7 +53,29 @@ jobs: env: GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} + - name: Check if target repository is empty + id: check_empty + run: | + REPO="${{ steps.target.outputs.repository }}" + # Try to get repository info + REPO_INFO=$(gh api "repos/$REPO" 2>/dev/null || echo "") + + if [ -z "$REPO_INFO" ]; then + echo "Failed to get repository info" + exit 1 + fi + + # Check if repository has commits (size will be 0 if empty) + IS_EMPTY=$(echo "$REPO_INFO" | jq -r '.size == 0') + + echo "is_empty=$IS_EMPTY" >> "$GITHUB_OUTPUT" + echo "Repository empty status: $IS_EMPTY" + shell: bash + env: + GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} + - name: Checkout target repository + if: steps.check_empty.outputs.is_empty == 'false' uses: actions/checkout@v4 with: repository: ${{ steps.target.outputs.repository }} @@ -61,20 +83,37 @@ jobs: path: target-repo ref: ${{ steps.target.outputs.base_branch }} + - name: Initialize empty repository locally + if: steps.check_empty.outputs.is_empty == 'true' + run: | + mkdir -p target-repo + cd target-repo + git init + git remote add origin "https://x-access-token:${{ secrets.ONBOARDING_TOKEN }}@github.com/${{ steps.target.outputs.repository }}.git" + shell: bash + - name: Create branch and add SAST workflow working-directory: target-repo run: | git config user.name "MetaMask Security Bot" git config user.email "security-bot@metamask.io" - BRANCH_NAME="security/add-sast-scanner" - git checkout -b "$BRANCH_NAME" + IS_EMPTY="${{ steps.check_empty.outputs.is_empty }}" + BASE_BRANCH="${{ steps.target.outputs.base_branch }}" + + if [ "$IS_EMPTY" = "true" ]; then + # For empty repos, create initial commit on main + BRANCH_NAME="$BASE_BRANCH" + else + # For existing repos, create a feature branch + BRANCH_NAME="security/add-sast-scanner" + git checkout -b "$BRANCH_NAME" + fi # Create .github/workflows directory if it doesn't exist mkdir -p .github/workflows # Copy the security scanner workflow template and replace placeholders - BASE_BRANCH="${{ steps.target.outputs.base_branch }}" sed "s/{ DEFAULT_BRANCH }/$BASE_BRANCH/g" \ ../scanner-repo/.github/templates/security-code-scanner.yml \ > .github/workflows/security-code-scanner.yml @@ -86,17 +125,18 @@ jobs: automated security scanning of the codebase. The scanner will run on: - - Push to main branch - - Pull requests to main branch + - Push to $BASE_BRANCH branch + - Pull requests to $BASE_BRANCH branch - Manual workflow dispatch To configure the scanner for your repository's specific needs, please review the workflow file and adjust as necessary." - git push origin "$BRANCH_NAME" + git push -u origin "$BRANCH_NAME" shell: bash - name: Create Pull Request + if: steps.check_empty.outputs.is_empty == 'false' working-directory: target-repo env: GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} @@ -120,6 +160,7 @@ jobs: shell: bash - name: Output PR URL + if: steps.check_empty.outputs.is_empty == 'false' working-directory: target-repo env: GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }} @@ -128,3 +169,12 @@ jobs: echo "✅ Pull Request created: $PR_URL" echo "PR_URL=$PR_URL" >> "$GITHUB_OUTPUT" shell: bash + + - name: Output commit info for empty repo + if: steps.check_empty.outputs.is_empty == 'true' + run: | + REPO="${{ steps.target.outputs.repository }}" + BASE_BRANCH="${{ steps.target.outputs.base_branch }}" + echo "✅ Initial commit pushed to https://github.com/$REPO/tree/$BASE_BRANCH" + echo "Repository was empty - workflow file added directly to $BASE_BRANCH branch" + shell: bash From da090b6f37f25c7fdfabcb27c1e5e289b9ddfe5b Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 14:02:59 +0000 Subject: [PATCH 11/12] fix empty repo runs --- .github/workflows/onboard-new-repo.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index 9d3889c..f52ceea 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -132,6 +132,11 @@ jobs: To configure the scanner for your repository's specific needs, please review the workflow file and adjust as necessary." + # For empty repos, rename the branch to match the base branch + if [ "$IS_EMPTY" = "true" ]; then + git branch -M "$BRANCH_NAME" + fi + git push -u origin "$BRANCH_NAME" shell: bash From 6d3ad6bdd9fafa1b6fecb4482478abcf4e708dc6 Mon Sep 17 00:00:00 2001 From: witmicko Date: Tue, 9 Dec 2025 14:11:14 +0000 Subject: [PATCH 12/12] another repo edge hase handling --- .github/workflows/onboard-new-repo.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/onboard-new-repo.yml b/.github/workflows/onboard-new-repo.yml index f52ceea..a16ec72 100644 --- a/.github/workflows/onboard-new-repo.yml +++ b/.github/workflows/onboard-new-repo.yml @@ -57,19 +57,19 @@ jobs: id: check_empty run: | REPO="${{ steps.target.outputs.repository }}" - # Try to get repository info - REPO_INFO=$(gh api "repos/$REPO" 2>/dev/null || echo "") + # Try to list branches in the repository + BRANCHES=$(gh api "repos/$REPO/branches" --jq 'length' 2>/dev/null || echo "0") - if [ -z "$REPO_INFO" ]; then - echo "Failed to get repository info" - exit 1 + # If there are no branches, the repo is empty + if [ "$BRANCHES" = "0" ]; then + IS_EMPTY="true" + echo "Repository is empty (no branches found)" + else + IS_EMPTY="false" + echo "Repository has $BRANCHES branch(es)" fi - # Check if repository has commits (size will be 0 if empty) - IS_EMPTY=$(echo "$REPO_INFO" | jq -r '.size == 0') - echo "is_empty=$IS_EMPTY" >> "$GITHUB_OUTPUT" - echo "Repository empty status: $IS_EMPTY" shell: bash env: GH_TOKEN: ${{ secrets.ONBOARDING_TOKEN }}