MetaMask
diff --git a/‎.github/templates/README.md‎
Lines changed: 41 additions & 0 deletions b/‎.github/templates/README.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.github/templates/onboarding-pr-body-automated.md‎
Lines changed: 93 additions & 0 deletions b/‎.github/templates/onboarding-pr-body-automated.md‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎.github/templates/security-code-scanner.yml‎
Lines changed: 51 additions & 0 deletions b/‎.github/templates/security-code-scanner.yml‎
Lines changed: 51 additions & 0 deletions
@@ -0,0 +1,41 @@
+# PR Body Templates
+
+This directory contains templates for onboarding PRs that add the Security Code Scanner to repositories.
+
+## Templates
+
+### `onboarding-pr-body-manual.md`
+
+**Use for:** Manual PRs created by the security team
+
+- More detailed with full language configuration examples
+- Includes code snippets for common scenarios
+- Comprehensive documentation
+- No auto-merge disclaimer
+
+### `onboarding-pr-body-automated.md`
+
+**Use for:** Automated PRs created by workflows
+
+- Shorter, more concise
+- Includes auto-merge warning at the top
+- Links to README for detailed configuration
+- Used by `.github/workflows/onboard-new-repo.yml`
+
+## Variables
+
+Both templates support variable substitution:
+
+- `{{SECURITY_SCANNING_URL}}` - Repository-specific code scanning alerts URL
+
+## Usage
+
+**Manual PRs:**
+
+```bash
+# Copy and paste from onboarding-pr-body-manual.md
+# Replace {{SECURITY_SCANNING_URL}} with actual URL
+```
+
+**Automated workflow:**
+The workflow automatically reads `onboarding-pr-body-automated.md` and substitutes variables.
@@ -0,0 +1,93 @@
+## ⚠️ Important Notice - Action Required
+
+**This PR may be auto-merged in the future if not configured.**
+
+If your team does not need the security scanner:
+
+1. **Add a comment on this PR** explaining why your team is opting out
+2. **Close this PR** to prevent auto-merge
+3. **Add a `.github/no-security-scanner` file** to your repository to prevent future onboarding attempts
+
+If you need the scanner but want to customize it:
+
+1. Complete the checklist below
+2. Review and modify the workflow file as needed
+3. Approve and merge this PR when ready
+
+If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories.
+
+---
+
+## Required Action
+
+Prior to merging this pull request, please ensure the following has been completed:
+
+- [ ] The lines specifying `branches` correctly specify this repository's default branch (usually `main` or `master`).
+- [ ] Any paths you would like to ignore have been added to the `paths-ignored` configuration option (see [setup](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md#setup))
+- [ ] Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
+- [ ] Any existing CodeQL configuration has been disabled.
+
+## What is the Security Code Scanner?
+
+This pull request enables the [MetaMask Security Code Scanner](https://github.com/MetaMask/action-security-code-scanner) GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's [Code Scanning Alerts Tab]({{SECURITY_SCANNING_URL}}).
+
+<img width="500" alt="Security Scanner Screenshot" src="https://github.com/user-attachments/assets/41c87b70-79b7-44dd-a444-791b142fbbe1">
+
+The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.
+
+## How do I interact with the tool?
+
+Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.
+
+The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.
+
+<img width="983" alt="Alert Dismissal Screenshot" src="https://github.com/user-attachments/assets/114219d5-4b4c-4d9d-8bfe-f4666012b73e">
+
+## Configuration
+
+### Language Configuration
+
+The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the `languages-config` section in the workflow file.
+
+**Common use cases:**
+
+1. **Ignore falsely detected languages:**
+
+   ```yaml
+   languages-config: |
+     [
+       {
+         "language": "ruby",
+         "ignore": true
+       }
+     ]
+   ```
+
+2. **Configure Java/Kotlin builds:**
+
+   ```yaml
+   languages-config: |
+     [
+       {
+         "language": "java-kotlin",
+         "build_mode": "manual",
+         "build_command": "./gradlew build",
+         "version": "21",
+         "distribution": "temurin"
+       }
+     ]
+   ```
+
+**Supported languages:** `javascript-typescript`, `python`, `java-kotlin`, `go`, `cpp`, `csharp`, `ruby`
+
+**Build modes:** `none`, `autobuild`, `manual`
+
+### Additional Configuration
+
+For more configuration options, please review the tool's [README](https://github.com/MetaMask/action-security-code-scanner/blob/main/README.md).
+
+For any additional questions, please reach out to `@app-sec` in Slack.
+
+---
+
+🤖 _This PR was automatically created by the MetaMask Security onboarding system_
@@ -0,0 +1,51 @@
+name: MetaMask Security Code Scanner
+
+on:
+  push:
+    branches:
+      - { DEFAULT_BRANCH }
+  pull_request:
+    branches:
+      - { DEFAULT_BRANCH }
+  workflow_call:
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN:
+        required: false
+      APPSEC_BOT_SLACK_WEBHOOK:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      repo: ${{ github.repository }}
+      scanner-ref: 'v2'
+      paths-ignored: |
+        node_modules
+        **/node_modules/**
+        **/__snapshots__/**
+        __snapshots_linux__
+        **/__stories__/**
+        .storybook/
+        **/*.test.ts
+        **/*.test.tsx
+        **/*.test.js
+        **/*.test.jsx
+        **/*.spec.ts
+        **/*.spec.tsx
+        **/*.spec.js
+        **/*.spec.jsx
+        **/test*/**
+        **/e2e/**
+        **/tests/**
+      languages-config: |
+        [
+        ]
+    secrets:
+      project-metrics-token: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      slack-webhook: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}