Add PSScriptAnalyzer and OpenGrep security workflows#1776
Open
SamErde wants to merge 5 commits into
Open
Conversation
Adds two new code scanning workflows to close gaps identified in the
open Scorecard SAST alert and the lack of PowerShell static analysis:
- psscriptanalyzer.yml (active): Runs PSScriptAnalyzer on push/PR to
main when PowerShell files (*.ps1, *.psm1, *.psd1, *.ps1xml) change,
on a weekly schedule, and on demand. CodeQL does not support
PowerShell, so this fills the gap for the module's core code under
powershell/, tools/, and build/.
- opengrep.yml (manual eval only): Runs OpenGrep (LGPL fork of
Semgrep CE) via workflow_dispatch with configurable rule packs and
version. Workflow is disabled from automatic triggers while we
evaluate signal vs. noise; switching to Semgrep is a one-line change
if needed (rule-compatible).
Both workflows follow existing repo conventions: SHA-pinned actions
with version comments, 'permissions: {}' default-deny with per-job
grants, and concurrency groups.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Up to standards ✅🟢 Issues
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds two new GitHub code scanning workflows to expand static analysis coverage: PSScriptAnalyzer for PowerShell (auto-triggered with path filters + schedule) and OpenGrep as a manual-only evaluation workflow for broader SAST rulesets.
Changes:
- Introduces a PSScriptAnalyzer workflow that runs on PRs/pushes affecting PowerShell files, plus a weekly schedule, and uploads SARIF to Code Scanning.
- Introduces a manual
workflow_dispatchOpenGrep workflow that installs OpenGrep, runs selected rule packs, and uploads SARIF results.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/psscriptanalyzer.yml | Adds a PowerShell-focused SARIF-producing scan on PR/push (path-filtered), schedule, and manual trigger. |
| .github/workflows/opengrep.yml | Adds a manual-only OpenGrep scan with configurable version/ruleset and SARIF upload to GitHub code scanning. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Deploying maester with
|
| Latest commit: |
e4e5f8c
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://5f0b7f1d.maester.pages.dev |
| Branch Preview URL: | https://samerde-scaling-meme.maester.pages.dev |
- psscriptanalyzer.yml: use POSIX path '.' (not '.\') since job runs on ubuntu-latest - opengrep.yml: replace 'curl | bash' installer with pinned release binary download from GitHub Releases (better supply-chain integrity) - opengrep.yml: use bash array for --config args (avoid word-splitting) - opengrep.yml: replace '|| true' with continue-on-error + if: always() and hashFiles guard on SARIF upload Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Update opengrep_version description to reflect the pinned default rather than incorrectly suggesting that a blank value installs latest. - Add opengrep_sha256 input and a built-in checksum for the default v1.21.0 release. The install step now verifies the downloaded binary with sha256sum before executing it, and refuses to install an overridden version unless the caller also supplies a matching SHA256. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new code scanning workflows to address gaps in static analysis coverage identified during a review of open code scanning alerts.
.github/workflows/psscriptanalyzer.ymlmain(PowerShell paths only), weekly schedule, manual.github/workflows/opengrep.ymlworkflow_dispatchonlyWhy PSScriptAnalyzer
CodeQL does not support PowerShell, so the existing
codeql.yml(which scansactions+javascript-typescript) leaves the bulk of the project — the PowerShell module underpowershell/, plus build/tooling scripts underbuild/andtools/— without static analysis. PSScriptAnalyzer is Microsoft's official open-source PowerShell linter and supports SARIF output for native GitHub code scanning integration.Path-filtered triggers: the workflow only runs on push/PR to
mainwhen files matching**/*.ps1,**/*.psm1,**/*.psd1, or**/*.ps1xmlchange (or the workflow itself), keeping CI noise low. The recursive scan from the repo root naturally coverspowershell/,tools/,build/, and any future PowerShell anywhere in the repo, since PSScriptAnalyzer ignores non-PowerShell files automatically.Why OpenGrep (and why manual-only)
OpenGrep is an LGPL 2.1 fork of Semgrep CE, created in early 2025 and backed by a consortium of 10+ AppSec vendors (Aikido, Endor Labs, Orca, Mobb, Jit, Phoenix, etc.) after Semgrep moved key engine features behind a commercial license. It is rule-compatible with Semgrep — the same
p/security-audit,p/javascript,p/typescript, andp/github-actionsrule packs run unchanged — so swapping back to Semgrep later is a one-line change if needed.For an open-source security project like Maester, OpenGrep's purely-open-source mission is a closer philosophical fit. The workflow is gated to
workflow_dispatchonly so we can evaluate signal-to-noise before committing to automatic runs on every PR. Inputs let you pick the OpenGrep version and rule set per run.Conventions
Both workflows follow existing repo patterns:
# vX.Y.Zcommentspermissions: {}default-deny at workflow level, with minimal per-job grantscancel-in-progresson PRs (PSScriptAnalyzer)github/codeql-action/upload-sarif@<sha>action already used byscorecard.ymlRelated alerts
Helps address Scorecard SAST coverage signals and reduces the PowerShell static-analysis blind spot that has not been previously visible in code scanning.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com