feat: add onboarding automation for new repos

MetaMask · witmicko · Nov 26, 2025 · Dec 2, 2025 · Dec 9, 2025 · Dec 9, 2025
commit 89f2c4e8d36ef9f3576827f52751b3ce47bfd1fd
@@ -0,0 +1,38 @@
+# PR Body Templates
+
+This directory contains templates for onboarding PRs that add the Security Code Scanner to repositories.
+
+## Templates
+
+### `onboarding-pr-body-manual.md`
+**Use for:** Manual PRs created by the security team
+
+- More detailed with full language configuration examples
+- Includes code snippets for common scenarios
+- Comprehensive documentation
+- No auto-merge disclaimer
+
+### `onboarding-pr-body-automated.md`
+**Use for:** Automated PRs created by workflows
+
+- Shorter, more concise
+- Includes auto-merge warning at the top
+- Links to README for detailed configuration
+- Used by `.github/workflows/onboard-new-repo.yml`
+
+## Variables
+
+Both templates support variable substitution:
+
+- `{{SECURITY_SCANNING_URL}}` - Repository-specific code scanning alerts URL
+
+## Usage
+
+**Manual PRs:**
+```bash
+# Copy and paste from onboarding-pr-body-manual.md
+# Replace {{SECURITY_SCANNING_URL}} with actual URL
+```
+
+**Automated workflow:**
+The workflow automatically reads `onboarding-pr-body-automated.md` and substitutes variables.
@@ -0,0 +1,51 @@
+## ⚠️ Important Notice - Action Required
+
+**This PR may be auto-merged in the future if not configured.**
+
+If your team does not need the security scanner:
+- Please **close this PR** and add a comment explaining why
+- Consider adding a `.github/no-security-scanner` file to opt-out permanently
+
+If you need the scanner but want to customize it:
+- Complete the checklist below
+- Review and modify the workflow file as needed
+- Approve and merge this PR when ready
+
+If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories.
+
+---
+
+## Required Action
+
+Prior to merging this pull request, please ensure the following has been completed:
+- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`).
+- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup))
+- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
+- [ ] Any existing CodeQL configuration has been disabled.
+
+## What is the Security Code Scanner?
+
+This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}).
+
+<img width="500" alt="Security Scanner Screenshot" src="https://github.com/user-attachments/assets/41c87b70-79b7-44dd-a444-791b142fbbe1">
+
+The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.
+
+## How do I interact with the tool?
+
+Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.
+
+The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.
+
+<img width="983" alt="Alert Dismissal Screenshot" src="https://github.com/user-attachments/assets/114219d5-4b4c-4d9d-8bfe-f4666012b73e">
+
+## Configuration
+
+The scanner auto-detects languages in your repository. If you need to customize settings (ignore falsely detected languages, add Java/Kotlin build commands), please review the `languages-config` section in the workflow file.
+
+For detailed configuration examples and options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md).
+
+For any questions, please reach out to `@app-sec` in Slack.
+
+---
+🤖 *This PR was automatically created by the MetaMask Security onboarding system*
diff --git a/.github/templates/onboarding-pr-body-manual.md b/.github/templates/onboarding-pr-body-manual.md
@@ -0,0 +1,70 @@
+## Required Action
+
+Prior to merging this pull request, please ensure the following has been completed:
+- [ ] The lines specifying `branches` correctly specifies this repository's default branch (usually `main` or `master`).
+- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup))
+- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
+- [ ] Any existing CodeQL configuration has been disabled.
+
+## What is the Security Code Scanner?
+
+This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}).
+
+<img width="500" alt="Screenshot 2024-02-12 at 9 19 05 PM" src="https://github.com/user-attachments/assets/41c87b70-79b7-44dd-a444-791b142fbbe1">
+
+The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.
+
+## How do I interact with the tool?
+
+Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.
+
+The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.
+
+<img width="983" alt="Screenshot 2024-02-12 at 8 41 46 PM" src="https://github.com/user-attachments/assets/114219d5-4b4c-4d9d-8bfe-f4666012b73e">
+
+## Configuration
+
+### Language Configuration
+
+The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the `languages-config` section in the workflow file.
+
+**Common use cases:**
+
+1. **Ignore falsely detected languages:**
+   ```yaml
+   languages-config: |
+     [
+       {
+         "language": "ruby",
+         "ignore": true
+       }
+     ]
+   ```
+
+2. **Configure Java/Kotlin builds:**
+   ```yaml
+   languages-config: |
+     [
+       {
+         "language": "java-kotlin",
+         "build_mode": "manual",
+         "build_command": "./gradlew build",
+         "version": "21",
+         "distribution": "temurin"
+       }
+     ]
+   ```
+
+**Supported languages:** `javascript-typescript`, `python`, `java-kotlin`, `go`, `cpp`, `csharp`, `ruby`
+
+**Build modes:** `none`, `autobuild`, `manual`
+
+### Additional Configuration
+
+For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md).
+
+Optional secrets that can be configured:
+- `SECURITY_SCAN_METRICS_TOKEN` - for metrics collection
+- `APPSEC_BOT_SLACK_WEBHOOK` - for Slack notifications
+
+For any additional questions, please reach out to `@app-sec` in Slack.
@@ -0,0 +1,113 @@
+name: 'Onboard New Repository with SAST'
+
+on:
+  workflow_dispatch:
+    inputs:
+      repository:
+        description: 'Repository to onboard (format: owner/repo)'
+        required: true
+        type: string
+      base_branch:
+        description: 'Base branch to create PR against'
+        required: false
+        default: 'main'
+        type: string
+  repository_dispatch:
+    types: [new_repository_created]
+
+jobs:
+  create-sast-pr:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout scanner action repository
+        uses: actions/checkout@v4
+        with:
+          path: scanner-repo
+
+      - name: Determine target repository
+        id: target
+        run: |
+          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
+            echo "repository=${{ github.event.client_payload.repository }}" >> $GITHUB_OUTPUT
+            echo "base_branch=${{ github.event.client_payload.base_branch || 'main' }}" >> $GITHUB_OUTPUT
+          else
+            echo "repository=${{ inputs.repository }}" >> $GITHUB_OUTPUT
+            echo "base_branch=${{ inputs.base_branch }}" >> $GITHUB_OUTPUT
+          fi
+        shell: bash
+
+      - name: Checkout target repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ steps.target.outputs.repository }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          path: target-repo
+          ref: ${{ steps.target.outputs.base_branch }}
+
+      - name: Create branch and add SAST workflow
+        working-directory: target-repo
+        run: |
+          git config user.name "MetaMask Security Bot"
+          git config user.email "[email protected]"
+
+          BRANCH_NAME="security/add-sast-scanner"
+          git checkout -b "$BRANCH_NAME"
+
+          # Create .github/workflows directory if it doesn't exist
+          mkdir -p .github/workflows
+
+          # Copy the security scanner workflow template
+          cp ../scanner-repo/examples/security-code-scanner.yml .github/workflows/security-code-scanner.yml
+
+          git add .github/workflows/security-code-scanner.yml
+          git commit -m "chore: add MetaMask Security Code Scanner workflow
+
+This PR adds the MetaMask Security Code Scanner workflow to enable
+automated security scanning of the codebase.
+
+The scanner will run on:
+- Push to main branch
+- Pull requests to main branch
+- Manual workflow dispatch
+
+To configure the scanner for your repository's specific needs,
+please review the workflow file and adjust as necessary."
+
+          git push origin "$BRANCH_NAME"
+        shell: bash
+
+      - name: Create Pull Request
+        working-directory: target-repo
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_NAME: ${{ steps.target.outputs.repository }}
+        run: |
+          # Extract owner and repo name for URL construction
+          OWNER=$(echo "$REPO_NAME" | cut -d'/' -f1)
+          REPO=$(echo "$REPO_NAME" | cut -d'/' -f2)
+          BASE_BRANCH="${{ steps.target.outputs.base_branch }}"
+          SECURITY_URL="https://github.com/${OWNER}/${REPO}/security/code-scanning"
+
+          # Read PR body template and substitute variables
+          PR_BODY=$(cat ../scanner-repo/.github/templates/onboarding-pr-body-automated.md)
+          PR_BODY="${PR_BODY//\{\{SECURITY_SCANNING_URL\}\}/$SECURITY_URL}"
+
+          gh pr create \
+            --title "🔒 Add MetaMask Security Code Scanner" \
+            --body "$PR_BODY" \
+            --base "$BASE_BRANCH" \
+            --head "security/add-sast-scanner"
+        shell: bash
+
+      - name: Output PR URL
+        working-directory: target-repo
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_URL=$(gh pr view security/add-sast-scanner --json url -q .url)
+          echo "✅ Pull Request created: $PR_URL"
+          echo "PR_URL=$PR_URL" >> $GITHUB_OUTPUT
+        shell: bash
@@ -0,0 +1,51 @@
+name: MetaMask Security Code Scanner
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_call:
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN:
+        required: false
+      APPSEC_BOT_SLACK_WEBHOOK:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      repo: ${{ github.repository }}
+      scanner-ref: 'v2'
+      paths-ignored: |
+        node_modules
+        **/node_modules/**
+        **/__snapshots__/
+        __snapshots_linux__
+        **/__stories__/
+        .storybook/
+        **/*.test.ts
+        **/*.test.tsx
+        **/*.test.js
+        **/*.test.jsx
+        **/*.spec.ts
+        **/*.spec.tsx
+        **/*.spec.js
+        **/*.spec.jsx
+        **/test*/**
+        **/e2e/**
+        **/tests/**
+      languages-config: |
+        [
+        ]
+    secrets:
+      project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}