name: Security on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 6 * * 1' permissions: contents: read security-events: write env: ACALA_PROD_AUTH_TOKEN: ${{ secrets.ACALA_PROD_AUTH_TOKEN }} ACALA_TEST_AUTH_TOKEN: ${{ secrets.ACALA_TEST_AUTH_TOKEN }} MOONBEAM_PROD_AUTH_TOKEN: ${{ secrets.MOONBEAM_PROD_AUTH_TOKEN }} MOONBEAM_TEST_AUTH_TOKEN: ${{ secrets.MOONBEAM_TEST_AUTH_TOKEN }} MOONPAY_PRODUCTION_SECRET: ${{ secrets.MOONPAY_PRODUCTION_SECRET }} MOONPAY_TEST_SECRET: ${{ secrets.MOONPAY_TEST_SECRET }} MERCURYO_PRODUCTION_SECRET: ${{ secrets.MERCURYO_PRODUCTION_SECRET }} MERCURYO_TEST_SECRET: ${{ secrets.MERCURYO_TEST_SECRET }} EHTERSCAN_API_KEY_MOONBEAM: ${{ secrets.EHTERSCAN_API_KEY_MOONBEAM }} EHTERSCAN_API_KEY_MOONRIVER: ${{ secrets.EHTERSCAN_API_KEY_MOONRIVER }} EHTERSCAN_API_KEY_ETHEREUM: ${{ secrets.EHTERSCAN_API_KEY_ETHEREUM }} INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }} DWELLIR_API_KEY: ${{ secrets.DWELLIR_API_KEY }} WALLET_CONNECT_PROJECT_ID: ${{ secrets.WALLET_CONNECT_PROJECT_ID }} DEBUG_GOOGLE_OAUTH_ID: ${{ secrets.DEBUG_GOOGLE_OAUTH_ID }} RELEASE_GOOGLE_OAUTH_ID: ${{ secrets.RELEASE_GOOGLE_OAUTH_ID }} jobs: codeql: name: CodeQL Analysis runs-on: [self-hosted, wallet] if: github.event_name == 'push' # Only run on push, not PRs (self-hosted security) steps: - name: Checkout uses: actions/checkout@v4 - name: Install dependencies uses: ./.github/workflows/install/ - name: Set up DEV Google Services uses: davidSchuppa/base64Secret-toFile-action@v3 with: secret: ${{ secrets.CI_DEVELOP_GOOGLE_SERVICES }} filename: google-services.json destination-path: ./app/ - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: java-kotlin - name: Build for CodeQL run: ./gradlew assembleDebug -x test -x lint env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 dependency-review: name: Dependency Review runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Checkout uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: critical deny-licenses: GPL-3.0, AGPL-3.0 secret-scan: name: Secret Scan runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog Secret Scan uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.repository.default_branch }} extra_args: --only-verified hardcoded-secrets: name: Hardcoded Secret Detection runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Scan for hardcoded secrets run: | FOUND=0 echo "Checking for seed phrases / mnemonics..." if grep -rn --include="*.kt" --include="*.java" --include="*.xml" -iE "(mnemonic|seed_phrase)\s*=\s*\"[a-z]+" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/ | grep -v "R.string" | grep -v "getString"; then echo "::error::Possible seed phrase found in source" FOUND=1 fi echo "Checking for private keys..." if grep -rn --include="*.kt" --include="*.java" -E "(private_key|privateKey|secret)\s*=\s*\"0x[a-fA-F0-9]{64}\"" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/; then echo "::error::Possible private key found in source" FOUND=1 fi echo "Checking for API keys in source..." if grep -rn --include="*.kt" --include="*.java" -iE "(api_key|apikey|secret_key|password)\s*=\s*\"[^\"]{16,}" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/ | grep -v BuildConfig | grep -v "process"; then echo "::error::Possible API key or password found in source" FOUND=1 fi if [ "$FOUND" -eq 0 ]; then echo "No hardcoded secrets found." else exit 1 fi