From c3b8ab5401b67b0634e9e621cfe6c9fee6918901 Mon Sep 17 00:00:00 2001 From: Garret Patten Date: Sat, 2 Aug 2025 10:17:46 -0400 Subject: [PATCH 1/3] Try to implement opengrep diff aware scan instead of Semgrep scan --- .github/workflows/opengrep-scan.yaml | 30 ++++++++++++++++++++++++++++ .github/workflows/semgrep-scan.yaml | 19 ------------------ 2 files changed, 30 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/opengrep-scan.yaml delete mode 100644 .github/workflows/semgrep-scan.yaml diff --git a/.github/workflows/opengrep-scan.yaml b/.github/workflows/opengrep-scan.yaml new file mode 100644 index 0000000..5a5ae34 --- /dev/null +++ b/.github/workflows/opengrep-scan.yaml @@ -0,0 +1,30 @@ +name: Opengrep Scan + +permissions: + contents: read + +on: + pull_request: + workflow_dispatch: + +jobs: + opengrep-scan: + name: "Opengrep Scan" + runs-on: ubuntu-latest + + steps: + - name: "Checkout Code" + uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 + + - name: "Install Opengrep" + run: | + curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: "Run Opengrep Scan" + run: | + git fetch origin main + opengrep diff \ + --base origin/main \ + --rules https://github.com/opengrep/opengrep-rules \ + --format github diff --git a/.github/workflows/semgrep-scan.yaml b/.github/workflows/semgrep-scan.yaml deleted file mode 100644 index 39817d2..0000000 --- a/.github/workflows/semgrep-scan.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Semgrep Scan - -permissions: - contents: read - -on: pull_request - -jobs: - semgrep-scan: - name: semgrep-scan - runs-on: ubuntu-latest - container: - image: returntocorp/semgrep - - if: (github.actor != 'dependabot[bot]') - steps: - - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 - - - run: semgrep ci --config=auto From 2ae3d6788b126ae57e36e45cd46f6a5ca64db1aa Mon Sep 17 00:00:00 2001 From: Garret Patten Date: Sat, 2 Aug 2025 10:21:01 -0400 Subject: [PATCH 2/3] chore: --- .github/workflows/opengrep-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/opengrep-scan.yaml b/.github/workflows/opengrep-scan.yaml index 5a5ae34..a683cf0 100644 --- a/.github/workflows/opengrep-scan.yaml +++ b/.github/workflows/opengrep-scan.yaml @@ -19,7 +19,7 @@ jobs: - name: "Install Opengrep" run: | curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash - echo "$HOME/.local/bin" >> $GITHUB_PATH + echo "/home/runner/.opengrep/cli/latest" >> $GITHUB_PATH - name: "Run Opengrep Scan" run: | From 5b67393a56206de7910e4965342120897729710b Mon Sep 17 00:00:00 2001 From: Garret Patten Date: Sat, 2 Aug 2025 10:24:24 -0400 Subject: [PATCH 3/3] Try diff aware scan --- .github/workflows/opengrep-scan.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/opengrep-scan.yaml b/.github/workflows/opengrep-scan.yaml index a683cf0..9a03034 100644 --- a/.github/workflows/opengrep-scan.yaml +++ b/.github/workflows/opengrep-scan.yaml @@ -23,8 +23,7 @@ jobs: - name: "Run Opengrep Scan" run: | - git fetch origin main - opengrep diff \ - --base origin/main \ - --rules https://github.com/opengrep/opengrep-rules \ - --format github + opengrep scan \ + -f opengrep-rules \ + env: + SEMGREP_BASELINE_REF: ${{ github.event.repository.default_branch }}