Skip to content
/ action-security-code-scanner Public

A GitHub action aggregating SAST tools to scan code for vulnerabilities

5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MetaMask/action-security-code-scanner

12 Branches2 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

dependabot[bot]NicholasEllul
dependabot[bot]
and
NicholasEllul
Bump the npm_and_yarn group across 1 directory with 3 updates (#23)
Mar 7, 2025
0b3759f · Mar 7, 2025

History

42 Commits
.github
.github
Mar 7, 2025
.vscode
.vscode
Mar 7, 2025
.yarn/plugins/@yarnpkg
.yarn/plugins/@yarnpkg
Mar 7, 2025
scripts
scripts
Mar 26, 2024
.depcheckrc.json
.depcheckrc.json
Mar 7, 2025
.editorconfig
.editorconfig
Mar 7, 2025
.gitattributes
.gitattributes
Mar 7, 2025
.gitignore
.gitignore
Dec 13, 2023
.nvmrc
.nvmrc
Mar 7, 2025
.prettierrc.js
.prettierrc.js
Mar 7, 2025
.yarnrc.yml
.yarnrc.yml
Mar 7, 2025
CHANGELOG.md
CHANGELOG.md
Mar 7, 2025
README.md
README.md
Mar 7, 2025
action.yaml
action.yaml
Mar 7, 2025
package.json
package.json
Mar 7, 2025
yarn.lock
yarn.lock
Mar 7, 2025

Repository files navigation

MetaMask/action-security-code-scanner

Overview

The Security Code Scanner GitHub Action is designed to enhance the security of your repositories by performing thorough code scans. Currently, it utilizes the Appsec CodeQL scanner, but the scope is planned to expand to include other security actions, providing a more comprehensive security analysis.

Inputs

  • repo: (Required) The name of the repository you want to scan.

  • slack_webhook: (Required) Slack webhook URL.

  • project_metrics_token: (optional) Token belonging to a mixpanel project that is used to track build passes & failures.

  • paths_ignored: (optional) Code paths which are to be ignored. Each should be listed on a new line.

  • rules_excluded: (optional) Code scanning rules to exclude. Each should be listed on a new line.

Setup

To use the Security Code Scanner, create a security-code-scanner.yml file in your repository's .github/workflows/ folder:

name: 'MetaMask Security Code Scanner'

on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch:

jobs:
  run-security-scan:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: MetaMask Security Code Scanner
        uses: MetaMask/action-security-code-scanner@v1
        with:
          repo: ${{ github.repository }}
          paths_ignored: |
            .storybook/
            '**/__snapshots__/'
            '**/*.snap'
            '**/*.stories.js'
            '**/*.stories.tsx'
            '**/*.test.browser.ts*'
            '**/*.test.js*'
            '**/*.test.ts*'
            '**/fixtures/'
            '**/jest.config.js'
            '**/jest.environment.js'
            '**/mocks/'
            '**/test*/'
            docs/
            e2e/
            merged-packages/
            node_modules
            storybook/
            test*/
          rules_excluded: |
            rule1
          project_metrics_token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
          slack_webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}

Secrets

Repositories in the MetaMask GitHub organization will pass the following secrets to the scanner to assist with logging and monitoring. However, these values can be replaced if used in other contexts.

  • SECURITY_SCAN_METRICS_TOKEN
  • APPSEC_BOT_SLACK_WEBHOOK

Features

Disclaimer

This action is developed for the MetaMask engineering team, and may require additional configuration if used in other organizations.

About

A GitHub action aggregating SAST tools to scan code for vulnerabilities

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

45 watching

Forks

2 forks
Report repository

Releases 1

1.0.0 Latest
Mar 7, 2025

Sponsor this project

Packages

No packages published

Contributors 7

Languages