-
Notifications
You must be signed in to change notification settings - Fork 15
179 lines (161 loc) · 5.03 KB
/
semgrep.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#
# Author: Hari Sekhon
# Date: Wed Jan 19 19:11:31 2022 +0000
#
# vim:ts=2:sts=2:sw=2:et
#
# https://github.com/HariSekhon/GitHub-Actions
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# S e m g r e p W o r k f l o w
# ============================================================================ #
# Generates code scanning alerts in GitHub's Security tab -> Code scanning alerts
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions
---
name: Semgrep
on:
push:
branches:
- master
- main
ignore-paths:
- '**/README.md'
pull_request:
branches:
- master
- main
ignore-paths:
- '**/README.md'
workflow_call:
inputs:
# # https://semgrep.dev/explore
# # https://semgrep.dev/r # full rule list
# config:
# type: string
# required: false
# default: |
# p/r2c-ci
# p/r2c-best-practices
# p/docker-compose
# p/dockerfile
# p/kubernetes
# p/nginx
# p/terraform
# p/python
# p/golang
# #p/kotlin
# #p/insecure-transport
# #p/jwt
# #p/xss
# #p/django
# #p/scala
# #p/ruby
# #p/javascript
# #p/flask
# #p/react
# #p/nodejsscan
# #p/eslint-plugin-security
# #p/phpcs-security-audit
debug:
type: string
required: false
default: false
workflow_dispatch:
inputs:
#config:
# type: string
# required: false
debug:
type: boolean
required: false
default: false
schedule:
- cron: '0 0 * * 1'
permissions:
actions: read
contents: read
security-events: write
defaults:
run:
shell: bash -euxo pipefail {0}
env:
DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }}
jobs:
semgrep:
name: Semgrep Scan, GitHub security report
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
# Skip any PR created by dependabot to avoid permission issues
if: github.actor != 'dependabot[bot]'
# github.event.repository.fork isn't available in scheduled workflows
# can't prevent forks of this repo, because also prevents caller workflows
steps:
- name: Environment
run: env | sort
# ubuntu-latest already has this installed and a newer version
#- name: Install Git
# run: sudo apt-get update && sudo apt-get install -y git --no-install-recommends
- name: Git version
run: git --version
- uses: actions/checkout@v3
with:
submodules: recursive # requires Git 2.18+ to be installed first
# XXX: workaround for: https://github.com/returntocorp/semgrep/issues/5316
- name: configure .semgrepignore
run: |
if ! [ -f .semgrepignore ]; then
wget -O .semgrepignore https://raw.githubusercontent.com/returntocorp/semgrep/develop/cli/src/semgrep/templates/.semgrepignore
fi
echo semgrep.sarif >> .semgrepignore
# Removed
#- uses: returntocorp/semgrep-action@v1
# with:
# config: >- # more at semgrep.dev/explore
# ${{ inputs.config }}
# ${{ github.event.inputs.config }}
#
# p/security-audit
# p/secrets
# p/semgrep-misconfigurations
# p/semgrep-rule-lints
# p/github-actions
# p/ci
# p/owasp-top-ten
# p/command-injection
# p/sql-injection
#
# # == Optional settings in the `with:` block
#
# # Instead of `config:`, use rules set in Semgrep App.
# # Get your token from semgrep.dev/manage/settings.
# # publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
#
# # XXX: both of these are not obsolete cause breakage
# #
# # Never fail the build due to findings on pushes.
# # Instead, just collect findings for semgrep.dev/manage/findings
# #auditOn: push
# #auditOn: push workflow_dispatch cron
# generateSarif: "1"
#
# # Change job timeout (default is 1800 seconds; set to 0 to disable)
# #env:
# #SEMGREP_AGENT_DEBUG: 1
# #SEMGREP_TIMEOUT: 300
- run: semgrep ci --config auto --sarif > semgrep.sarif
env:
# Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
# Generate a token from Semgrep Cloud Platform > Settings
# and add it to your GitHub secrets.
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# Upload findings to GitHub Advanced Security Dashboard [step 2/2]
- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()