Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions .github/workflows/socket-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Socket reachability scan for freighter-mobile.
# For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability
# Multi-eco: Node (yarn — root + sub: mock-dapp/, src/eslint-plugin-translations/) + Ruby (Gemfile at root) + Java/Gradle (sub: android/app/build.gradle, android/build.gradle — Android project). First 3-ecosystem combo in the fleet.
#
# Schedule: Sat 08:48 UTC weekly. Use workflow_dispatch to run on demand.
#
# ============================================================================
# Socket scan — reading the job status. (The scan step below produces this: an
# exit code + an optional ::warning:: annotation, which GitHub Actions renders
# as the job's state.)
# ============================================================================
# GREEN (exit 0, no warning): scan completed and every analyzed vulnerability
# got full Tier 1 reachability (precise, your-code-aware). Nothing to do.
# YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"):
# scan completed, but Tier 1 could NOT be computed for some/all
# vulnerabilities, which fell back to Tier 2 (precomputed) reachability.
# You still get CVE detection + Tier 2 results, just reduced precision
# for the affected CVEs. The job is NOT failing.
# RED (non-zero exit): scan did not complete. Do not assume any part
# succeeded — could be reachability hard-failing, a missing language
# toolchain, the runner out of memory, a network/API error, or even the
# underlying CVE/SBOM detection failing. Check the logs and fix before
# relying on results.
# ============================================================================

name: Socket reachability scan

on:
schedule:
- cron: '48 8 * * 6'
workflow_dispatch:

permissions:
contents: read

env:
# Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to
# use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove
# after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op).
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
socket-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: "17.0.19"
- uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0
with:
ruby-version: "3.4.9"
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "24.18.0"
- name: Enable Corepack (yarn/pnpm per repo packageManager)
run: corepack enable

- name: Install Socket CLI
run: npm install -g socket
Comment on lines +60 to +61

- name: Run Socket reachability scan
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
run: |
# Stream the scan output through tee so the run log captures it AND
# we can grep it for Tier-2-fallback markers; capture the scan's
# exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan
# succeeded but logged a Tier 2 fallback, emit a ::warning::
# annotation that GitHub Actions renders as a yellow run-level
# warning without failing the job.
set +e
socket scan create --reach \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Enable Gradle manifest generation

This workflow is documented as covering the Android Gradle project, but the Socket invocation never enables manifest generation. I checked the repo and the Android dependencies are only described by android/settings.gradle, android/build.gradle, and android/app/build.gradle; Socket's scan create --help says --auto-manifest is necessary for Gradle/Kotlin, and socket ci --autoManifest similarly says it is needed to include locally generated manifests like Gradle. Without that flag or a pre-generated SBOM/lockfile, the scheduled run can succeed while omitting the Android dependency graph from the reachability scan.

Useful? React with 👍 / 👎.

--org=stellar \
Comment on lines +74 to +75

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pass the repository and branch to Socket

When this scheduled/manual workflow runs without a checked-in socket.json override (I checked the repo), socket scan create does not infer the GitHub repo/branch from Actions; Socket's scan create --help documents --repo as defaulting to socket-default-repository and --branch to socket-default-branch. As written, successful scans will be filed under those placeholder names instead of freighter-mobile and the scheduled/dispatch ref, so the repository's Socket alerts/history will not be updated for the code this workflow just analyzed. Pass --repo/--branch (and initialize the default branch if needed) from the GitHub context.

Useful? React with 👍 / 👎.

--no-interactive \
--reach-continue-on-no-source-files \
--reach-continue-on-analysis-errors \
--reach-continue-on-install-errors \
--reach-continue-on-missing-lock-files \
. 2>&1 | tee /tmp/scan.log
rc=${PIPESTATUS[0]}
if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then
echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1"
fi
exit $rc