Add MobSF static analysis integration and config (#1373)

* Add MobSF static analysis integration and config

Introduces MobSF mobsfscan for static security analysis with a new GitHub Actions workflow, a .mobsf configuration file, and a justfile command for local usage. Updates the README with security scanning instructions and adds inline suppressions for specific MobSF rules. Also includes minor code cleanups and enum case renaming for consistency.

* Update .mobsf

* Update .mobsf

Author: 0xh3rman

.github/workflows/mobsfscan.yml

@@ -0,0 +1,48 @@
+name: MobSF Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  mobsfscan:
+    name: mobsfscan static analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install mobsfscan
+        run: uv tool install mobsfscan
+
+      - name: Run mobsfscan
+        run: |
+          set +e
+          uv tool run mobsfscan -- --type ios --config .mobsf --sarif --output results.sarif --exit-warning
+          EXIT_CODE=$?
+          echo "MOBSF_EXIT=${EXIT_CODE}" >> "$GITHUB_ENV"
+          exit 0
+
+      - name: Upload mobsfscan SARIF
+        if: always() && hashFiles('results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Fail when mobsfscan finds issues
+        if: ${{ env.MOBSF_EXIT != '' && env.MOBSF_EXIT != '0' }}
+        run: |
+          echo "mobsfscan reported security findings. Review the SARIF upload for details."
+          exit 1

.mobsf

@@ -0,0 +1,21 @@
+---
+- ignore-paths:
+  - build
+  - .build
+  - core
+  - Gem.xcodeproj
+  - Gem/Generated
+  - GemTests/Fixtures
+  - GemTests
+  - Packages/Keystore/Tests
+  - Packages/Keychain/Tests
+  - Packages/Keychain/Sources/Types/Accessibility.swift
+  - Packages/Keystore/TestKit
+  - Packages/Gemstone
+  - Packages/GemstonePrimitives
+  - Packages/Primitives/Sources/Extensions/Color+Primitives.swift
+  - Packages/Primitives/Sources/TransactionLoadMetadata.swift
+  - swiftgen.yml
+  severity-filter:
+  - WARNING
+  - ERROR

Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift

@@ -31,7 +31,7 @@ public extension FiatQuoteTypeViewModel {
 
     func randomAmount(maxAmount: Double) -> Double? {
         switch type {
-        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount)))
+        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount))) // mobsf-ignore: ios_insecure_random_no_generator (UI suggestion only)
         case .sell: .none
         }
     }

Features/Onboarding/Sources/Types/WalletImportType.swift

@@ -7,9 +7,9 @@ import Localization
 enum WalletImportType: String, Hashable, CaseIterable, Identifiable {
     var id: String { rawValue }
 
-    case phrase = "Phrase"
-    case address = "Address"
-    case privateKey = "Private Key"
+    case phrase
+    case address
+    case privateKey
 }
 
 extension WalletImportType {

Packages/Keystore/Sources/LocalKeystorePassword.swift

@@ -7,7 +7,7 @@ import Primitives
 
 public final class LocalKeystorePassword: KeystorePassword {
     private struct Keys {
-        static let password = "password"
+        static let password = "password" // mobsf-ignore: ios_hardcoded_secret
         static let passwordAuthentication = "password_authentication"
         static let passwordAuthenticationPeriod = "password_authentication_period"
         static let passwordAuthenticationPrivacyLock = "password_authentication_privacy_lock"

Packages/Style/Sources/Emoji.swift

@@ -89,7 +89,7 @@ public struct Emoji {
         case ninja = "🥷"
         case hacker = "👨‍💻"
         case vault = "🛢"
-        case key = "🔑"
+        case keyEmoji = "🔑"
         case shield = "🛡"
         case upChart = "📈"
         case downChart = "📉"

README.md

@@ -68,6 +68,15 @@ If you want to contribute, you can use our [developers telegram](https://t.me/ge
 
 If you're using a legacy Intel Mac, you need to pull latest `core` submodule and run `just generate-stone` to build `x86_64` arch Gemstone, the core library used by Gem iOS.
 
+## 🔐 Security Scanning
+
+We run [MobSF mobsfscan](https://github.com/MobSF/mobsfscan) to catch insecure patterns in Swift and Objective-C code.
+
+- **Local usage**: Install [`uv`](https://docs.astral.sh/uv/getting-started/installation/) and run `uv tool install mobsfscan` once. After that, `just mobsfscan` (internally `uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning`) scans the iOS source tree with the repo-wide `.mobsf` configuration and fails when it encounters `WARNING` or `ERROR` level findings.
+- **CI enforcement**: `.github/workflows/mobsfscan.yml` installs mobsfscan on every push/PR to `main`, uploads a SARIF report to GitHub code scanning, and fails the workflow when findings remain.
+
+Suppress individual findings only when you fully understand the risk—either update the code or add a `// mobsf-ignore: rule_id` inline comment with context.
+
 ## 👨‍👧‍👦 Contributors
 
 We love contributors! Feel free to contribute to this project but please read the [Contributing Guidelines](CONTRIBUTING.md) first!

justfile

@@ -110,6 +110,12 @@ test TARGET: show-simulator
     -jobs {{BUILD_THREADS}} \
     test | xcbeautify {{XCBEAUTIFY_ARGS}}
 
+mobsfscan:
+    @command -v uv >/dev/null || { \
+        echo "uv is not installed. Install it via 'curl -LsSf https://astral.sh/uv/install.sh | sh'."; \
+        exit 1; }
+    uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning
+
 localize:
     @sh core/scripts/localize.sh ios Packages/Localization/Sources/Resources
     just generate-model
@@ -133,4 +139,4 @@ generate-stone:
 bump-version:
     @sh ./scripts/bump-version-and-commit.sh patch
 
-mod core
+mod core