Skip to content

Code: Security code scanner #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

Code: Security code scanner #757

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/codeql-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: CodeQL Scan
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it scan only our source code? What about scanning node_modules, in the /dist dir after build? Did you check how Metamask is dealing with that?

Copy link
Member Author

@graycraft graycraft Apr 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Metamask uses own custom scanner, dist skipped because basically it has the same logic as src directory.
node_modules can be easily scanned by npm audit and it performs on every install

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't rely only on npm audit. If no one reported a malicious code inside the package, the NPM audit will not catch it.

I think we need to scan it additionally with CodeQL, either the node_modules or the dist dir.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also do a research about other open source projects (besides MetaMask), how they a dealing with that? @graycraft

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL: CodeQL can be configured to scan node_modules as well. This can help identify potential security issues that npm audit might miss. You can modify your workflow to include node_modules in the scan.

Suggested additions:

  • Add npm audit or even audit-ci in CI as a separate job.
  • Use a static analysis tool like Snyk or Socket.dev to catch malicious patterns (not just vulnerabilities).
  • Don’t scan dist — that’s compiled code. Instead, ensure your source code and build pipeline are secure.

Here are some examples you could explore:

  • MetaMask: custom pipeline + not relying on dist/node_modules.
  • Hardhat (Nomic Foundation): uses npm audit + some static analysis.
  • Ethers.js: relies on lightweight CI and minimal deps.
  • Zcash: uses CodeQL + other tools to scan for logic issues.
  • Brave Browser: runs both CodeQL and custom static scans with alerts for dependency changes.
  • Projects like Webpack, Next.js, and other popular JavaScript/TypeScript projects might have robust security practices that you can learn from.

TL;DR Suggestions:

  • Use CodeQL for source code.
  • Use audit-ci or snyk test to scan node_modules.
  • Don't scan dist, it's unnecessary duplication.
  • Consider adding npm audit --audit-level=high as a gate.
  • Review tools like Snyk, Socket.dev, or NodeSecure (https://github.com/nodesecure/nodesecure) for additional layer of scanning.


on:
push:
branches:
- master
- dev
pull_request:
types:
- opened
workflow_dispatch:

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# @see https://gh.io/recommended-hardware-resources-for-running-codeql
# @see https://gh.io/supported-runners-and-hardware-resources
# @see https://gh.io/using-larger-runners
runs-on: ubuntu-latest
permissions:
# Required for all workflows.
security-events: write
# Required to fetch internal or private CodeQL packs.
packages: read
# Only required for workflows in private repositories.
actions: read
contents: read

strategy:
fail-fast: false
matrix:
# @see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# @see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
build-mode: ['none']
language: ['actions', 'javascript-typescript']
steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# @see https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: security-extended,security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{matrix.language}}'