pezkuwichain/pezkuwi-wallet-android
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pezkuwi-wallet-android.git synced 2026-04-22 21:57:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e6a087f907dc7b82db0c1666ba5a2e7604e3749b
pezkuwi-wallet-android/.github/workflows/security.yml
T

133 lines
4.3 KiB
YAML
Raw Blame History

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1'
permissions:
contents: read
security-events: write
env:
ACALA_PROD_AUTH_TOKEN: ${{ secrets.ACALA_PROD_AUTH_TOKEN }}
ACALA_TEST_AUTH_TOKEN: ${{ secrets.ACALA_TEST_AUTH_TOKEN }}
MOONBEAM_PROD_AUTH_TOKEN: ${{ secrets.MOONBEAM_PROD_AUTH_TOKEN }}
MOONBEAM_TEST_AUTH_TOKEN: ${{ secrets.MOONBEAM_TEST_AUTH_TOKEN }}
MOONPAY_PRODUCTION_SECRET: ${{ secrets.MOONPAY_PRODUCTION_SECRET }}
MOONPAY_TEST_SECRET: ${{ secrets.MOONPAY_TEST_SECRET }}
MERCURYO_PRODUCTION_SECRET: ${{ secrets.MERCURYO_PRODUCTION_SECRET }}
MERCURYO_TEST_SECRET: ${{ secrets.MERCURYO_TEST_SECRET }}
EHTERSCAN_API_KEY_MOONBEAM: ${{ secrets.EHTERSCAN_API_KEY_MOONBEAM }}
EHTERSCAN_API_KEY_MOONRIVER: ${{ secrets.EHTERSCAN_API_KEY_MOONRIVER }}
EHTERSCAN_API_KEY_ETHEREUM: ${{ secrets.EHTERSCAN_API_KEY_ETHEREUM }}
INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
DWELLIR_API_KEY: ${{ secrets.DWELLIR_API_KEY }}
WALLET_CONNECT_PROJECT_ID: ${{ secrets.WALLET_CONNECT_PROJECT_ID }}
DEBUG_GOOGLE_OAUTH_ID: ${{ secrets.DEBUG_GOOGLE_OAUTH_ID }}
RELEASE_GOOGLE_OAUTH_ID: ${{ secrets.RELEASE_GOOGLE_OAUTH_ID }}
jobs:
codeql:
name: CodeQL Analysis
runs-on: [self-hosted, wallet]
if: github.event_name == 'push' # Only run on push, not PRs (self-hosted security)
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install dependencies
uses: ./.github/workflows/install/
- name: Set up DEV Google Services
uses: davidSchuppa/base64Secret-toFile-action@v3
with:
secret: ${{ secrets.CI_DEVELOP_GOOGLE_SERVICES }}
filename: google-services.json
destination-path: ./app/
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java-kotlin
- name: Build for CodeQL
run: ./gradlew assembleDebug -x test -x lint
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: GPL-3.0, AGPL-3.0
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog Secret Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
hardcoded-secrets:
name: Hardcoded Secret Detection
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Scan for hardcoded secrets
run: |
FOUND=0
echo "Checking for seed phrases / mnemonics..."
if grep -rn --include="*.kt" --include="*.java" --include="*.xml" -iE "(mnemonic|seed_phrase)\s*=\s*\"[a-z]+" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/ | grep -v "R.string" | grep -v "getString"; then
echo "::error::Possible seed phrase found in source"
FOUND=1
fi
echo "Checking for private keys..."
if grep -rn --include="*.kt" --include="*.java" -E "(private_key|privateKey|secret)\s*=\s*\"0x[a-fA-F0-9]{64}\"" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/; then
echo "::error::Possible private key found in source"
FOUND=1
fi
echo "Checking for API keys in source..."
if grep -rn --include="*.kt" --include="*.java" -iE "(api_key|apikey|secret_key|password)\s*=\s*\"[^\"]{16,}" . | grep -v /build/ | grep -v /test/ | grep -v /androidTest/ | grep -v BuildConfig | grep -v "process"; then
echo "::error::Possible API key or password found in source"
FOUND=1
fi
if [ "$FOUND" -eq 0 ]; then
echo "No hardcoded secrets found."
else
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink