Skip to content

ci: enable security code scanner #1286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ci: enable security code scanner #1286

wants to merge 4 commits into from

Conversation

@witmicko
Copy link
Collaborator

@witmicko witmicko commented Dec 1, 2025
edited by cursor bot
Loading

Required Action

Prior to merging this pull request, please ensure the following has been completed:

  • The lines specifying branches correctly specifies this repository's default branch (usually main or master).
  • Any paths you would like to ignore have been added to the paths-ignored configuration option (see setup)
  • Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
  • Any existing CodeQL configuration has been disabled.

What is the Security Code Scanner?

This pull request enables the MetaMask Security Code Scanner GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's Code Scanning Alerts Tab.

Screenshot 2024-02-12 at 9 19 05 PM

The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.

How do I interact with the tool?

Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.

The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.

Screenshot 2024-02-12 at 8 41 46 PM

Configuration

Language Configuration

The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the languages-config section in the workflow file.

Common use cases:

  1. Ignore falsely detected languages:

    languages-config: |
  [
    {
      "language": "ruby",
      "ignore": true
    }
  ]

  2. Configure Java/Kotlin builds:

    languages-config: |
  [
    {
      "language": "java-kotlin",
      "build_mode": "manual",
      "build_command": "./gradlew build",
      "version": "21",
      "distribution": "temurin"
    }
  ]

Supported languages: javascript-typescript, python, java-kotlin, go, cpp, csharp, ruby

Build modes: none, autobuild, manual

Additional Configuration

For more configuration options, please review the tool's README.

Optional secrets that can be configured:

  • SECURITY_SCAN_METRICS_TOKEN - for metrics collection
  • APPSEC_BOT_SLACK_WEBHOOK - for Slack notifications

For any additional questions, please reach out to @app-sec in Slack.

Note

Adds a GitHub Actions workflow to run MetaMask Security Code Scanner on pushes/PRs to main, with configured ignore paths and optional secrets.

  • CI/CD:
    • Workflow Added: Introduces /.github/workflows/security-code-scanner.yml using MetaMask/action-security-code-scanner@v2.
    • Triggers: Runs on push and pull_request to main, supports workflow_call and workflow_dispatch.
    • Permissions: Grants actions: read, contents: read, security-events: write.
    • Configuration:
      • paths-ignored: excludes node_modules, snapshots, stories, tests, e2e, .sol, and contracts.
      • languages-config: set to [].
      • with: sets repo and scanner-ref: v2.
    • Secrets: Uses SECURITY_SCAN_METRICS_TOKEN and APPSEC_BOT_SLACK_WEBHOOK (optional).

Written by Cursor Bugbot for commit 637ade5. This will update automatically on new commits. Configure here.

@vercel
Copy link

vercel bot commented Dec 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
doc-linea Ready Ready Preview Comment Dec 3, 2025 3:54pm

@github-advanced-security
Copy link

github-advanced-security bot commented Dec 1, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@witmicko @eloi010