Add MobSF static analysis integration and config

.github/workflows/mobsfscan.yml

@@ -0,0 +1,48 @@
+name: MobSF Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  mobsfscan:
+    name: mobsfscan static analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install mobsfscan
+        run: uv tool install mobsfscan
+
+      - name: Run mobsfscan
+        run: |
+          set +e
+          uv tool run mobsfscan -- --type ios --config .mobsf --sarif --output results.sarif --exit-warning
+          EXIT_CODE=$?
+          echo "MOBSF_EXIT=${EXIT_CODE}" >> "$GITHUB_ENV"
+          exit 0
+
+      - name: Upload mobsfscan SARIF
+        if: always() && hashFiles('results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Fail when mobsfscan finds issues
+        if: ${{ env.MOBSF_EXIT != '' && env.MOBSF_EXIT != '0' }}
+        run: |
+          echo "mobsfscan reported security findings. Review the SARIF upload for details."
+          exit 1

.mobsf

@@ -0,0 +1,21 @@
+---
+- ignore-paths:
+  - build
+  - .build
+  - core
+  - Gem.xcodeproj
+  - Gem/Generated
+  - GemTests/Fixtures
+  - GemTests
+  - Packages/Keystore/Tests
+  - Packages/Keychain/Tests
+  - Packages/Keychain/Sources/Types/Accessibility.swift
+  - Packages/Keystore/TestKit
+  - Packages/Gemstone
+  - Packages/GemstonePrimitives
+  - Packages/Primitives/Sources/Extensions/Color+Primitives.swift
+  - Packages/Primitives/Sources/TransactionLoadMetadata.swift
+  - swiftgen.yml
+  severity-filter:
+  - WARNING
+  - ERROR

Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift

@@ -31,7 +31,7 @@ public extension FiatQuoteTypeViewModel {
 
     func randomAmount(maxAmount: Double) -> Double? {
         switch type {
-        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount)))
+        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount))) // mobsf-ignore: ios_insecure_random_no_generator (UI suggestion only)
         case .sell: .none
         }
     }

Features/Onboarding/Sources/Types/WalletImportType.swift

@@ -7,9 +7,9 @@ import Localization
 enum WalletImportType: String, Hashable, CaseIterable, Identifiable {
     var id: String { rawValue }
 
-    case phrase = "Phrase"
-    case address = "Address"
-    case privateKey = "Private Key"
+    case phrase
+    case address
+    case privateKey
 }
 
 extension WalletImportType {

Packages/Keystore/Sources/LocalKeystorePassword.swift

@@ -7,7 +7,7 @@ import Primitives
 
 public final class LocalKeystorePassword: KeystorePassword {
     private struct Keys {
-        static let password = "password"
+        static let password = "password" // mobsf-ignore: ios_hardcoded_secret
         static let passwordAuthentication = "password_authentication"
         static let passwordAuthenticationPeriod = "password_authentication_period"
         static let passwordAuthenticationPrivacyLock = "password_authentication_privacy_lock"

Packages/Style/Sources/Emoji.swift

@@ -89,7 +89,7 @@ public struct Emoji {
         case ninja = "🥷"
         case hacker = "👨‍💻"
         case vault = "🛢"
-        case key = "🔑"
+        case keyEmoji = "🔑"
         case shield = "🛡"
         case upChart = "📈"
         case downChart = "📉"

README.md

@@ -68,6 +68,15 @@ If you want to contribute, you can use our [developers telegram](https://t.me/ge
 
 If you're using a legacy Intel Mac, you need to pull latest `core` submodule and run `just generate-stone` to build `x86_64` arch Gemstone, the core library used by Gem iOS.
 
+## 🔐 Security Scanning
+
+We run [MobSF mobsfscan](https://github.com/MobSF/mobsfscan) to catch insecure patterns in Swift and Objective-C code.
+
+- **Local usage**: Install [`uv`](https://docs.astral.sh/uv/getting-started/installation/) and run `uv tool install mobsfscan` once. After that, `just mobsfscan` (internally `uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning`) scans the iOS source tree with the repo-wide `.mobsf` configuration and fails when it encounters `WARNING` or `ERROR` level findings.
+- **CI enforcement**: `.github/workflows/mobsfscan.yml` installs mobsfscan on every push/PR to `main`, uploads a SARIF report to GitHub code scanning, and fails the workflow when findings remain.
+
+Suppress individual findings only when you fully understand the risk—either update the code or add a `// mobsf-ignore: rule_id` inline comment with context.
+
 ## 👨‍👧‍👦 Contributors
 
 We love contributors! Feel free to contribute to this project but please read the [Contributing Guidelines](CONTRIBUTING.md) first!

justfile

@@ -115,6 +115,12 @@ test TARGET: show-simulator
     -jobs {{BUILD_THREADS}} \
     test | xcbeautify {{XCBEAUTIFY_ARGS}}
 
+mobsfscan:
+    @command -v uv >/dev/null || { \
+        echo "uv is not installed. Install it via 'curl -LsSf https://astral.sh/uv/install.sh | sh'."; \
+        exit 1; }
+    uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning
+
 localize:
     @sh core/scripts/localize.sh ios Packages/Localization/Sources/Resources
     just generate-model
@@ -138,4 +144,4 @@ generate-stone:
 bump-version:
     @sh ./scripts/bump-version-and-commit.sh patch
 
-mod core
+mod core