In the series, I will build a simple Hacker News reader for iOS using Firebase, SwiftUI and GitHub Copilot X. In part 6, I use GitHub Copilot X to automate security and privacy testing on each pull request using GitHub Actions:

• GitHub Actions plan for automated build and security scans
• GitHub Action to build and scan iOS app - static only
• Use GitHub Copilot to help write a GitHub Action
• Dynamic security scans on pull requests or new releases
• Thoughts on GitHub Copilot X results for GitHub Actions

1. GitHub Actions plan for automated build and security scans

What I want to do is be able to have is an Action that will automatically build and scan my application at different points in the developer lifecycle. So the first thing that I want to do is anytime I create a new branch and make a commit to that branch, I want to make sure that I do a quick static binary scan using NowSecure.

And then when I do pull requests to merge that branch into main, I want to do both a static scan and a full dynamic scan because that’s really the best time to catch any security issues.

And then lastly, if I make a release, I want to make sure that I do another full scan. That’s just going to take into account perhaps any other changes that happened in the main branch, and I just think it’s a good idea to do a full security scan before you hand things off to QA and get ready to release it to the public stores.

2. Use GitHub Copilot to help write a GitHub Action

So with that in mind, let’s dive right in and see what GitHub Copilot can do to help us with these tasks. So I actually have some detailed tutorials on this topic and if you go out to my personal website and you can see them by clicking on the GitHub Actions tags.

I have one about building an iOS app with GitHub Actions and it will walk you through all of the code, everything that you need to do to get this up and running. And this is really kind of a one-time config and then you can forget it after that.

Similarly, I have one out there about building a React Native iOS app with GitHub Actions. And that one I wanted to just point out briefly because it’s a little more complicated as there are multiple provisioning profiles involved. And so this particular script will not only walk you through how to do things manually if you don’t let Xcode do it for you, but also get into the particulars of managing multiple provisioning profiles.

After some minor adjustments for the name of the particular application that I’m building, I decided that I really want to change how and when I run the scan from the config in Part 5. And so right now I have it running on a workflow dispatch, which is just kind of a manual trigger.

But what I really want to do is run this anytime there’s a push, but I don’t want to do it on the main branch because that’s one where I want to run dynamic scans. So let’s throw in a little comment here and see if we can get Copilot to help us write it. So we want to run on a push not to the main branch to any branch except main. OK, let’s see what we get with this prompt:

On a push, branches ignore main.

Awesome. All right, let’s go ahead and save this. And I’m actually not currently using a branch for this work. I guess this is kind of inside the repository setup. So right now, I’m just committing directly to main. I do need to get out of the habit of doing that. Normally I do this command line, but I’m going to see about doing this through VS Code.

So I think I just stage the commit here and then I add a quick comment lie “run on all push to any branch except main”. So let’s go ahead and commit that. And then I think you have to not refresh I guess push that to the main repo okay now in theory that should not kick off a scan because we just committed directly to main. So let’s see yep we just have to commit here to main and if I come under actions I don’t see anything that’s running so I ran this last night I got everything up and running.

But next time we kick off some scans inside a branch, this should automatically trigger and we’ll go ahead and test that later. Now the next thing that I want to do is actually kick off scans when we do a pull request or a new release. And originally I was gonna create two separate workflow files, but I think that’s kind of silly.

One of the things that I could look into is creating reusable workflows and things of that sort or composite workflows, but that’s a little bit too much work right now. So I’m just going to come in here and really a lot of the stuff here is exactly the same because I want to come out and build the application.

3. Dynamic security scans on pull requests or new releases

So I’m just going to copy this guy. And then let’s come in to this new YAML file and let’s go ahead and paste in here. Now we want to change this up a bit. So let’s call this a full scan. Let’s just call it a dynamic. And obviously, we want to be able to trigger it manually for testing.

But here, we need to change this because we don’t want to omit main. We actually want to primarily focus on main and pull requests. So let’s go ahead and delete this. And again, let’s get Copilot to help us write this:

Run on pull requests or new release.

Let’s see what we’ve got here. Unexpected value pull request. I think this is a YAML spacing issue, issue so I’m just gonna change the spacing here and see how this works. That gets rid of the error. Okay so now we’ve got a scan here that will run on pull requests against main and any published release.

Note: If you watch the full video, you’ll see me fumble around quite a bit. My mistake was that I was embedding the Copilot prompts inside the workflow_dispatch: section which was incorrect. We needed a new section for different triggers and through some trial and error, I finally figured it out.

Now I do believe there’s a way with the extension that I added that I could probably go kick that job off from VS Code, but I’m going to go ahead and pop over to the repo real quick. And let’s take a look and see, okay, so now we have built in Scan Dynamic Scan and Static Only. Static Only is the one that I did earlier.

So the Dynamic Scan, again we could take a quick look at this, but this should be on pull requests and on releases. So I’m going to go ahead and just kick this job off and see if we can get a successful run here in a couple of minutes.

4. GitHub Copilot X thoughts - configuring GitHub Actions

So far it was helpful. I struggled a little bit with some of the comments and candidly the spacing in YAML files which I always struggle with. Some of this may be just my familiarity with VS code and things of that sort.

And I’m not actually sure that I got the releases thing right. I actually haven’t really used releases before so this is kind of a new area for myself anyway. So I’ll go ahead and see whether or not this scan was successful and then we’ll touch on briefly it at the start of the next video.

And then from there we’re going to be ready to create our next branch and start to recreate some of the files and quickly get back into coding the application and hopefully displaying the results of the top news in our main screen really soon.