Skip to content

Update MetaMask/action-security-code-scanner and run as part of main workflow #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mrtenz merged 3 commits into from
Mar 7, 2025
Merged

Update MetaMask/action-security-code-scanner and run as part of main workflow #263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9153a31
Update `MetaMask/action-security-code-scanner` and run as part of mai…
Mrtenz Mar 7, 2025
3fb5c51
Add name
Mrtenz Mar 7, 2025
107d96e
Add code scanner as requirement for all-jobs-completed
Mrtenz Mar 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,18 @@ jobs:
run: ${{ steps.download-actionlint.outputs.executable }} -color
shell: bash

analyse-code:
name: Code scanner
needs: check-workflows
uses: ./.github/workflows/security-code-scanner.yml
permissions:
actions: read
contents: read
security-events: write
secrets:
SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}

Comment on lines +25 to +36
Copy link
Contributor

@NicholasEllul NicholasEllul Mar 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this run in parallel to the other steps? One of the reasons we had originally opted for it to be separate is so that it would execute in parallel to not slow down CI times. Especially the CodeQL step can take a minute or two to build its database depending on the size of the repo

Copy link
Member Author

@Mrtenz Mrtenz Mar 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does! It only depends on check-workflows, but after that, both the security code scanner and build, lint, test steps will run in parallel.

build-lint-test:
name: Build, lint, and test
uses: ./.github/workflows/build-lint-test.yml
Expand All @@ -31,6 +43,7 @@ jobs:
runs-on: ubuntu-latest
needs:
- check-workflows
- analyse-code
- build-lint-test
outputs:
PASSED: ${{ steps.set-output.outputs.PASSED }}
Expand Down
17 changes: 9 additions & 8 deletions .github/workflows/security-code-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,25 @@
name: MetaMask Security Code Scanner

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_call:
secrets:
SECURITY_SCAN_METRICS_TOKEN:
required: false
APPSEC_BOT_SLACK_WEBHOOK:
required: false
workflow_dispatch:

jobs:
run-security-scan:
name: Run security scan
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: MetaMask Security Code Scanner
uses: MetaMask/Security-Code-Scanner@main
- name: Analyse code
uses: MetaMask/action-security-code-scanner@v1
with:
repo: ${{ github.repository }}
paths_ignored: |
Expand Down
Loading