Description

[lannathompson65-arch]

Description

Issue(s) fixed

Fixes #

Preview

Checklist

• If this PR updates or adds documentation content that changes or adds technical meaning, it has received an approval from an engineer or DevRel from the relevant team.
• If this PR updates or adds documentation content, it has received an approval from a technical writer.

External contributor checklist

• I've read the contribution guidelines.
• I've created a new issue (or assigned myself to an existing issue) describing what this PR addresses.

---

Note

High Risk
New workflows on main/PRs can fail repeatedly (Deno, Gradle/zScan, incomplete SonarCloud/Codacy config) and the unrelated root index.html is confusing for a docs repo; only the devDependency bump is clearly intentional.

Overview
This PR adds four new GitHub Actions workflows on main push/PR (and Codacy on a weekly cron): Codacy (SARIF upload, needs CODACY_PROJECT_TOKEN), SonarCloud (needs SONAR_TOKEN and still has empty sonar.projectKey / sonar.organization), Deno (deno lint / deno test -A), and Zimperium zScan (./gradlew build plus mobile APK placeholders and ZSCAN_CLIENT_SECRET). Those jobs are largely stock templates and are unlikely to match this Docusaurus docs repo without extra setup, so they may fail or add noise on every run.

It also adds a root index.html to-do demo (references styles.css / script.js not in the diff), a generic SECURITY.md policy template, and bumps @typescript-eslint/parser from ^8.46.2 to ^8.58.2 in package.json with a matching package-lock.json refresh.

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

@lannathompson65-arch is attempting to deploy a commit to the Consensys Team on Vercel.

A member of the Team first needs to authorize it.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​8.46.2 ⏵ 8.58.2	+1		+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Medium CVE: npm brace-expansion: Large numeric range defeats documented `max` DoS protection CVE: GHSA-jxxr-4gwj-5jf2 brace-expansion: Large numeric range defeats documented max DoS protection (MODERATE) Affected versions: >= 5.0.0 < 5.0.6 Patched version: 5.0.6 From: package-lock.json → npm/@typescript-eslint/parser@8.58.2 → npm/brace-expansion@5.0.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/brace-expansion@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}

[cursor]

Zscan workflow runs missing gradlew

High Severity

The zScan job runs ./gradlew build, but this repository has no Gradle wrapper or Android project. The step exits immediately on push and pull requests to main, so the workflow never reaches the scan or SARIF upload.

 

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}

[cursor]

SonarCloud step skips checkout

High Severity

The SonarCloud job has only the SonarSource/sonarcloud-github-action step and never checks out the repository. The scanner runs without project sources, so analysis on main and pull requests cannot produce meaningful results.

 

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}

[cursor]

Sonar keys left empty

Medium Severity

-Dsonar.projectKey= and -Dsonar.organization= are committed as empty strings. SonarCloud requires both values from the project settings, so the scanner rejects the run even when SONAR_TOKEN is set.

 

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}

[cursor]

Root HTML missing assets

Medium Severity

The new root index.html links to styles.css and script.js, but neither file exists in the repository. Opening or serving that page leaves the to-do UI unstyled and without behavior.

 

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}

[cursor]

Deno CI on Node docs

Medium Severity

The Deno workflow runs deno lint and deno test -A on every main push and PR, but the repo has no deno.json and is built with npm/Docusaurus. Deno lint applies its own rules across the tree and is likely to fail or conflict with existing ESLint CI.

 

^{Reviewed by Cursor Bugbot for commit 0f5c3d8. Configure here.}