.github/workflows/code-security.yml

name: Code Security

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read

jobs:
  mobsfscan-job:
    env:
      GIT_STRATEGY: none
      DD_TEST_NAME: "CI-Mobsfscan ${{ github.ref }} ${{ github.sha }}"
      DD_TEST_TYPE_NAME: "Mobsfscan Scan"
      DD_FILE_NAME: "mobsf-output.json"
      DD_URL: https://dojo.krystal.team
      DD_API_KEY: ${{ secrets.DD_API_KEY }}
      DD_PRODUCT_NAME: "Krystal iOS"
      DD_PRODUCT_TYPE_NAME: "Research and Development"
      DD_ENGAGEMENT_NAME: "CI-Engagement"

    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Setup python
        uses: actions/setup-python@v3
        with:
          python-version: 3.8

      - name: Install the prerequisite
        shell: bash
        run: |
          pip3 install --upgrade urllib3
          pip3 install dd-import

      - name: Run mobsfscan (json output)
        uses: MobSF/mobsfscan@main
        with:
          args:  . --json -o $DD_FILE_NAME || true

      - name: Run mobsfscan (sarif output)
        uses: MobSF/mobsfscan@main
        with:
          args: . --sarif --output results.sarif || true

      - name: Upload mobsfscan report to codeql
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

      - name: Upload to Dojo
        shell: bash
        run: |
          python -m dd_import.dd_reimport_findings