security scan of flutter dependencies

[sk92129]

If you are looking for help, please confirm the following...

• I confirm I have searched the Docs, Codemagic Sample Projects, and GitHub Discussions.
• I confirm the software versions on my local computer match the ones in CI environment (e.g. Xcode version, Gradle version). See here
• I confirm I am able to do a fresh clone of the repository and build the project on my local computer.

Which mobile framework are you using?

Flutter (Dart)

Steps to reproduce

1. I added the github project to the codemagic build
2. Used the default workflow
3. Did not see a security scan

Expected results

I was looking for a static code analysis step. There is the "flutter analyze" but I am also looking to see if this codemagic does a dependency code security scan from the pubspec.yaml.

I see articles about integrating sonarqube. But sonarqube and its plugin for flutter does not scan the dependencies.

Actual results

https://codemagic.io/app/65cba7531b6fd3dfff4fb6a6/build/65cba769b8b79d08bb147d88

I see a build for ios, android and web but without any static code analysis

Build id (optional)

65cba769b8b79d08bb147d88

[himesh-cm]

Hi @sk92129

For security scans for Flutter dependencies in Codemagic as described, consider integrating third-party tools or services specialising in dependency scanning for Dart and Flutter projects.

Codemagic doesn't natively support scanning pubspec.yaml dependencies for security vulnerabilities.

You might need to set up a custom script in your Codemagic workflow that calls these services via their CLI or API to perform the scans.

[himesh-cm]

While I’m closing our discussion for now, if you have any other questions or suggestions, feel free to reply back or start a new discussion anytime. Have a nice day!