From d3c5d226c063b7eda8fdd6728e8a79273f597159 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Tue, 4 Mar 2025 10:01:50 -0600 Subject: [PATCH 01/10] Initial commit for codeql --- .github/workflows/codeql.yml | 26 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 10 ++++++++++ 2 files changed, 36 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..796968d0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,26 @@ +name: CodeQL (Swift) - SAST + +on: + pull_request: + push: + workflow_dispatch: + +jobs: + analyze: + name: Code Scanning - CodeQL + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + security-events: write + packages: read + actions: read + contents: read + strategy: + fail-fast: false + steps: + - uses: hyperwallet/public-security-workflows/codeql@main + with: + language: java + build-mode: 'none' + timeout-minutes: 25 + diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..19140c5a --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,10 @@ +name: CodeQL Dependency Review - SCA + +on: + pull_request: + push: + workflow_dispatch: + +jobs: + dependency-review: + uses: hyperwallet/public-security-workflows/.github/workflows/dependency-review.yml@main \ No newline at end of file From 8c6bbc817bc9212b00b5c044b24f0ae7b87c3596 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Tue, 4 Mar 2025 10:39:19 -0600 Subject: [PATCH 02/10] Switching type --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 796968d0..64b07c70 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,7 +20,7 @@ jobs: steps: - uses: hyperwallet/public-security-workflows/codeql@main with: - language: java - build-mode: 'none' + language: swift + build-mode: 'manual' timeout-minutes: 25 From afee7d224be4b1571a1c6021e40a15bf387db3c3 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 10 Apr 2025 09:34:43 -0500 Subject: [PATCH 03/10] Try Different build command --- .github/workflows/codeql.yml | 128 ++++++++++++++++++++++++++++++----- 1 file changed, 111 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 64b07c70..fc4e83fe 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,26 +1,120 @@ name: CodeQL (Swift) - SAST on: - pull_request: - push: - workflow_dispatch: + workflow_call: + inputs: + scheme: + description: 'xcodebuild scheme arg' + required: true + type: string + project: + description: 'xcodebuild project arg' + required: true + type: string + workspace: + description: 'Optional xcodebuild workspace arg' + required: false + type: string + command: + description: 'Optional application build command, overrides build-scheme and build-workspace' + required: false + type: string + timeout-minutes: + description: 'Optional override for larger builds' + required: false + default: 30 + type: number + +permissions: + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + actions: read + contents: read + +defaults: + run: + shell: bash jobs: - analyze: - name: Code Scanning - CodeQL - runs-on: ubuntu-latest - timeout-minutes: 25 - permissions: - security-events: write - packages: read - actions: read - contents: read + code-scanning: + name: Code Scanning + runs-on: macos-15 + timeout-minutes: ${{ inputs.timeout-minutes }} strategy: fail-fast: false - steps: - - uses: hyperwallet/public-security-workflows/codeql@main + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Xcode + uses: maxim-lobanov/setup-xcode@v1 + with: + xcode-version: '${{ matrix.xcode_version }}' + + - name: Carthage [Setup cache] + uses: actions/cache@v3 with: - language: swift - build-mode: 'manual' - timeout-minutes: 25 + path: Carthage + key: ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }} + restore-keys: | + ${{ runner.os }}-carthage-${{ hashFiles('**/Cartfile.resolved') }} + + - name: Carthage [Install dependencies] + run: carthage bootstrap + --platform ios + --cache-builds + --use-xcframeworks + --no-use-binaries + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: swift + build-mode: manual + debug: true + + - name: xcodebuild (default) + if: ${{ inputs.build-command == '' }} + run: | + project=${{ inputs.project }} + os_version=17.5 + device="iPhone 15 Pro" + destination="platform=iOS Simulator,name=${device},OS=${os_version}" + + scheme=${{ inputs.scheme }} + build_dir=${HOME}/Library/Developer/Xcode/DerivedData/${scheme} + source_packages=${build_dir}/SourcePackages + + args=( + "-configuration Debug" + "-scheme ${scheme}" + "-project ${project}" + "-destination '${destination}'" + "-derivedDataPath ${build_dir}" + "-clonedSourcePackagesDirPath ${source_packages}" + "-disableAutomaticPackageResolution" + "-scmProvider system" + ) + + if [[ -n "${{ inputs.build-workspace }}" ]]; then + args+=("-workspace ${{ inputs.build-workspace }}") + fi + + args+=("clean") + args+=("build") + + build_cmd="xcodebuild ${args[*]}" + echo "${build_cmd}" + eval "${build_cmd}" + + - name: xcodebuild (custom) + if: ${{ inputs.build-command != '' }} + run: | + ${{ inputs.build-command }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:swift" \ No newline at end of file From ff34b2a796ae662e5b0ba41562dbadcedd0fbc38 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Wed, 4 Jun 2025 12:04:47 -0500 Subject: [PATCH 04/10] Update codeql.yml --- .github/workflows/codeql.yml | 53 ++++++++++-------------------------- 1 file changed, 15 insertions(+), 38 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fc4e83fe..a8ba4cf1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,29 +1,13 @@ -name: CodeQL (Swift) - SAST +name: CodeQL ( Swift ) - SAST on: - workflow_call: - inputs: - scheme: - description: 'xcodebuild scheme arg' - required: true - type: string - project: - description: 'xcodebuild project arg' - required: true - type: string - workspace: - description: 'Optional xcodebuild workspace arg' - required: false - type: string - command: - description: 'Optional application build command, overrides build-scheme and build-workspace' - required: false - type: string - timeout-minutes: - description: 'Optional override for larger builds' - required: false - default: 30 - type: number + pull_request: + branches: + - master + push: + branches: + - master + workflow_dispatch: permissions: security-events: write @@ -40,7 +24,7 @@ jobs: code-scanning: name: Code Scanning runs-on: macos-15 - timeout-minutes: ${{ inputs.timeout-minutes }} + timeout-minutes: 30 strategy: fail-fast: false @@ -51,7 +35,7 @@ jobs: - name: Setup Xcode uses: maxim-lobanov/setup-xcode@v1 with: - xcode-version: '${{ matrix.xcode_version }}' + xcode-version: '16.2' - name: Carthage [Setup cache] uses: actions/cache@v3 @@ -76,21 +60,19 @@ jobs: debug: true - name: xcodebuild (default) - if: ${{ inputs.build-command == '' }} run: | - project=${{ inputs.project }} os_version=17.5 device="iPhone 15 Pro" destination="platform=iOS Simulator,name=${device},OS=${os_version}" - scheme=${{ inputs.scheme }} + scheme=HyperwalletUISDK build_dir=${HOME}/Library/Developer/Xcode/DerivedData/${scheme} source_packages=${build_dir}/SourcePackages args=( "-configuration Debug" - "-scheme ${scheme}" - "-project ${project}" + "-scheme HyperwalletUISDK" + "-project HyperwalletUISDK.xcodeproj" "-destination '${destination}'" "-derivedDataPath ${build_dir}" "-clonedSourcePackagesDirPath ${source_packages}" @@ -98,8 +80,8 @@ jobs: "-scmProvider system" ) - if [[ -n "${{ inputs.build-workspace }}" ]]; then - args+=("-workspace ${{ inputs.build-workspace }}") + if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then + args+=("-workspace HyperwalletUISDK.xcodeproj") fi args+=("clean") @@ -109,11 +91,6 @@ jobs: echo "${build_cmd}" eval "${build_cmd}" - - name: xcodebuild (custom) - if: ${{ inputs.build-command != '' }} - run: | - ${{ inputs.build-command }} - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: From 77fbe61ab91c44b54a84ef378ccdd034d8779c2e Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Wed, 18 Jun 2025 10:11:05 -0500 Subject: [PATCH 05/10] Removing Project Arg --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a8ba4cf1..bd2a1610 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -72,7 +72,6 @@ jobs: args=( "-configuration Debug" "-scheme HyperwalletUISDK" - "-project HyperwalletUISDK.xcodeproj" "-destination '${destination}'" "-derivedDataPath ${build_dir}" "-clonedSourcePackagesDirPath ${source_packages}" From e4f5f903103e58afdc4443d7f8897f714ba40c81 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Tue, 1 Jul 2025 11:54:16 -0500 Subject: [PATCH 06/10] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 79e968c6..3524fc97 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -79,7 +79,7 @@ jobs: ) if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then - args+=("-workspace HyperwalletUISDK.xcodeproj") + #args+=("-workspace HyperwalletUISDK.xcodeproj") fi args+=("clean") From 9348575c8491e8a1109bcd9b0489c104f90b3ce4 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Tue, 1 Jul 2025 12:01:38 -0500 Subject: [PATCH 07/10] Update codeql.yml --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3524fc97..b0ff9f13 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -79,6 +79,7 @@ jobs: ) if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then + t=1 #args+=("-workspace HyperwalletUISDK.xcodeproj") fi From d1462beb47022234e7c25e70742da548d37b8cbc Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 10 Jul 2025 13:23:52 -0500 Subject: [PATCH 08/10] Update codeql.yml --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b0ff9f13..86a24699 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -75,7 +75,8 @@ jobs: "-derivedDataPath ${build_dir}" "-clonedSourcePackagesDirPath ${source_packages}" "-disableAutomaticPackageResolution" - "-scmProvider system" + "-scmProvider system" + "-destination 'generic/platform=iOS Simulator'" ) if [[ -n "HyperwalletUISDK.xcodeproj" ]]; then From fdaf727fe605c9841e2b9a8bca36b8510b530526 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Thu, 10 Jul 2025 13:48:27 -0500 Subject: [PATCH 09/10] Update codeql.yml --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 86a24699..918e1b95 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -71,7 +71,6 @@ jobs: args=( "-configuration Debug" "-scheme HyperwalletUISDK" - "-destination '${destination}'" "-derivedDataPath ${build_dir}" "-clonedSourcePackagesDirPath ${source_packages}" "-disableAutomaticPackageResolution" From 888e9654b1dce7c00473fc589c5d8c58018c98a4 Mon Sep 17 00:00:00 2001 From: Pablo Alguindigue Date: Tue, 29 Jul 2025 10:53:57 -0500 Subject: [PATCH 10/10] Adding in Data dog --- .github/workflows/codeql.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 918e1b95..748dec79 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,7 +28,11 @@ jobs: strategy: fail-fast: false - steps: + steps: + - name: Capture start time + run: echo "start_time=$(date +%s)" >> $GITHUB_ENV + shell: bash + - name: Checkout uses: actions/checkout@v4 @@ -93,4 +97,14 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:swift" \ No newline at end of file + category: "/language:swift" + + - name: DataDog + if: always() && github.event_name != 'merge_group' + uses: hyperwallet/public-security-workflows/datadog@main + with: + SOURCE: "CodeQL" + DATADOG_API_KEY: ${{ secrets.BUILD_SECURITY_PAYPAL_DATADOG_QA_TOKEN_PAYPAL_DATADOG_QA_TOKEN }} + BU_NAME: "Hyperwallet" + start_time: ${{ env.start_time }} + OUTCOME: "${{ steps.codeql.outcome }}" \ No newline at end of file