Adding SAST-SCA by JGowsk9 · Pull Request #2108 · onflow/FRW-iOS

JGowsk9 · 2025-12-18T22:07:46Z

Security

-Adding Code Analysis
-Adding Dependency Review
-This Will Block Failing PRs

github-actions · 2025-12-18T22:07:55Z

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

github-actions · 2025-12-18T22:07:57Z

PR Summary

Added security-focused GitHub Actions workflows for Static Application Security Testing (SAST) and Software Composition Analysis (SCA). The changes introduce a CodeQL analysis workflow (currently disabled) for Swift code scanning on push/PR events to main and dev branches, and a dependency review workflow that blocks PRs introducing known-vulnerable packages of moderate severity or higher. The dependency review workflow includes automated PR comments with vulnerability details and remediation guidance.

Changes

File	Summary
`.github/workflows/code-analysis.yml.disabled`	Added a CodeQL analysis workflow (disabled) that runs on push/PR to `main` and `dev` branches, plus daily scheduled scans. Configures Swift language analysis with `security-extended` queries, builds the `FRW.xcodeproj` with code signing disabled, and uploads results to GitHub Security.
`.github/workflows/dependency-review.yml`	Added a dependency review workflow that scans PRs to `main` and `dev` branches for vulnerable dependencies. Fails on moderate+ severity vulnerabilities, posts summary comments in PRs, and includes a failure handler job that adds detailed remediation guidance with security team contact information.

autogenerated by presubmit.ai

github-actions · 2025-12-18T22:07:57Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

actions/actions/checkout

4.*.*

🟢 6.5

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 5	6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Code-Review	🟢 10	all changesets reviewed
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Packaging	⚠️ -1	packaging workflow not detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Vulnerabilities	🟢 9	1 existing vulnerabilities detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

actions/actions/dependency-review-action

4.*.*

🟢 7.5

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 9	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 6	branch protection is not maximal on development and all release branches
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Vulnerabilities	🟢 5	5 existing vulnerabilities detected
SAST	🟢 10	SAST tool is run on all commits

actions/actions/github-script

8.*.*

🟢 6.3

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 10	SAST tool is run on all commits
Vulnerabilities	🟢 3	7 existing vulnerabilities detected

Scanned Files

.github/workflows/dependency-review.yml

github-actions

🚨 Pull request needs attention.

Review Summary

Commits Considered (1)

46255a1: Adding SAST-SCA

Files Processed (2)

.github/workflows/code-analysis.yml (1 hunk)
.github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (2)

.github/workflows/code-analysis.yml [29-29]

possible bug: "Non-existent action version referenced."
.github/workflows/dependency-review.yml [28-28]

possible bug: "Non-existent action version referenced."

Skipped Comments (2)

.github/workflows/dependency-review.yml [49-49]

possible issue: "JSON parsing may fail on unexpected input."
.github/workflows/code-analysis.yml [10-10]

enhancement: "Daily scheduled runs may be excessive."

.github/workflows/code-analysis.yml

.github/workflows/dependency-review.yml

github-actions · 2025-12-18T22:15:58Z

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

github-actions

🚨 Pull request needs attention.

Review Summary

Commits Considered (1)

deca9a8: Updates to branch

Files Processed (2)

.github/workflows/code-analysis.yml (1 hunk)
.github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (2)

.github/workflows/code-analysis.yml [29-29]

possible bug: "Non-existent action version will cause workflow failure."
.github/workflows/dependency-review.yml [28-28]

possible bug: "Non-existent action version will cause workflow failure."

Skipped Comments (1)

.github/workflows/dependency-review.yml [56-68]

readability: "Template string indentation will appear in the rendered PR comment."

.github/workflows/code-analysis.yml

.github/workflows/dependency-review.yml

github-actions · 2025-12-19T19:20:27Z

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

84795d0: Fix checkout action version and enable dev & main branch scanning

Files Processed (2)

.github/workflows/code-analysis.yml (1 hunk)
.github/workflows/dependency-review.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (4)

.github/workflows/code-analysis.yml [34-34]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [22-22]

best practice: "Unnecessary permission granted to workflow."
.github/workflows/dependency-review.yml [49-49]

possible bug: "Potential JSON parsing error when vulnerability output is empty or malformed."
.github/workflows/dependency-review.yml [43-43]

security: "Pin GitHub Actions to commit SHA for improved security."

JGowsk9 · 2025-12-19T19:34:49Z

Fixes #2113

github-actions · 2025-12-19T19:36:18Z

Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id>

lmcmz · 2025-12-23T02:01:48Z

@JGowsk9 It seem the build
failed
https://github.com/onflow/FRW-iOS/actions/runs/20380217403/job/58571415764?pr=2108

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

eaf200c: Fix CodeQL autobuild with custom build steps

Files Processed (1)

.github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (4)

.github/workflows/code-analysis.yml [34-34]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [31-31]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [61-61]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [12-12]

enhancement: "Consider offsetting the scheduled run time."

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

c5efc4c: Merge branch 'dev' into sec/sast-sca

Files Processed (0)

Actionable Comments (0)

Skipped Comments (0)

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

3779038: Simplify CodeQL build to use xcodeproj instead of workspace

Files Processed (1)

.github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

.github/workflows/code-analysis.yml [34-34]

best practice: "Consider pinning GitHub Actions to specific versions for reproducibility."
.github/workflows/code-analysis.yml [12-12]

enhancement: "Consider adjusting the scheduled cron time to avoid peak hours."
.github/workflows/code-analysis.yml [22-22]

security: "Unused permission declared in workflow."

JGowsk9 · 2025-12-23T20:02:37Z

@JGowsk9 It seem the build failed https://github.com/onflow/FRW-iOS/actions/runs/20380217403/job/58571415764?pr=2108

Thanks, @lmcmz ! Any suggestions on how to get a successful build? I've tried both Autobuild and custom builds

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

a8009bf: Fix xcodebuild architecture conflict in CodeQL workflow

Files Processed (1)

.github/workflows/code-analysis.yml (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

.github/workflows/code-analysis.yml [34-34]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [54-54]

security: "Pin GitHub Actions to commit SHA for improved security."
.github/workflows/code-analysis.yml [22-22]

best practice: "Unused permission may be overly permissive."

github-actions

✅ LGTM!

Review Summary

Commits Considered (1)

551d0af: Temporarily disable CodeQL workflow

Files Processed (1)

.github/workflows/code-analysis.yml.disabled (1 hunk)

Actionable Comments (0)

Skipped Comments (3)

.github/workflows/code-analysis.yml.disabled [34-34]

security: "Pin GitHub Actions to specific commit SHA for supply chain security."
.github/workflows/code-analysis.yml.disabled [54-54]

security: "Pin GitHub Actions to specific commit SHA for supply chain security."
.github/workflows/code-analysis.yml.disabled [12-12]

enhancement: "Consider reducing scheduled scan frequency to conserve resources."

Adding SAST-SCA

46255a1

JGowsk9 requested a review from a team as a code owner December 18, 2025 22:07

github-actions bot reviewed Dec 18, 2025

View reviewed changes

.github/workflows/code-analysis.yml Outdated Show resolved Hide resolved

.github/workflows/dependency-review.yml Outdated Show resolved Hide resolved

Updates to branch

deca9a8

github-actions bot reviewed Dec 18, 2025

View reviewed changes

.github/workflows/code-analysis.yml Outdated Show resolved Hide resolved

.github/workflows/dependency-review.yml Outdated Show resolved Hide resolved

Fix checkout action version and enable dev & main branch scanning

84795d0

github-actions bot reviewed Dec 19, 2025

View reviewed changes

JGowsk9 mentioned this pull request Dec 19, 2025

Add SAST and SCA Security Scanning Workflows #2113

Closed

Fix CodeQL autobuild with custom build steps

eaf200c