Skip to content

MetaMask/Security-Code-Scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.github
.github
 
 
.vscode
.vscode
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
.prettierrc
.prettierrc
 
 
README.md
README.md
 
 
action.yaml
action.yaml
 
 
package.json
package.json
 
 
yarn.lock
yarn.lock
 
 

Repository files navigation

Security Code Scanner

Overview

The Security Code Scanner GitHub Action is designed to enhance the security of your repositories by performing thorough code scans. Currently, it utilizes the Appsec CodeQL scanner, but the scope is planned to expand to include other security actions, providing a more comprehensive security analysis.

Inputs

  • repo: (Required) The name of the repository you want to scan.

  • slack_webhook: (Required) Slack webhook URL.

  • project_metrics_token: (optional) Token belonging to a mixpanel project that is used to track build passes & failures.

  • paths_ignored: (optional) Code paths which are to be ignored. Each should be listed on a new line.

  • rules_excluded: (optional) Code scanning rules to exclude. Each should be listed on a new line.

Setup

To use the Security Code Scanner, create a security-code-scanner.yml file in your repository's .github/workflows/ folder:

name: 'MetaMask Security Code Scanner'

on:
  push:
    branches: [ 'main' ]
  pull_request:
    branches: [ 'main' ]
  
jobs:
  run-security-scan:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:   
      - name: MetaMask Security Code Scanner
        uses: MetaMask/Security-Code-Scanner@main
        with:
          repo: ${{ github.repository }}
           paths_ignored: |
            .storybook/
            '**/__snapshots__/'
            '**/*.snap'
            '**/*.stories.js'
            '**/*.stories.tsx'
            '**/*.test.browser.ts*'
            '**/*.test.js*'
            '**/*.test.ts*'
            '**/fixtures/'
            '**/jest.config.js'
            '**/jest.environment.js'
            '**/mocks/'
            '**/test*/'
            docs/
            e2e/
            merged-packages/
            node_modules
            storybook/
            test*/
          rules_excluded: |
            rule1
          project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
          slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}

Secrets

Repositories in the MetaMask GitHub organization will pass the following secrets to the scanner to assist with logging and monitoring. However, these values can be replaced if used in other contexts.

  • SECURITY_SCAN_METRICS_TOKEN
  • APPSEC_BOT_SLACK_WEBHOOK

Features

Disclaimer

This action is developed for the MetaMask engineering team, and may require additional configuration if used in other organizations.

About

No description, website, or topics provided.

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

6 stars

Watchers

44 watching

Forks

2 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages