diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml new file mode 100644 index 0000000..91f455c --- /dev/null +++ b/.github/workflows/Semgrep.yml @@ -0,0 +1,64 @@ +name: Semgrep Scan + +on: + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + permissions: + pull-requests: write # Give write permission to PRs + issues: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install Semgrep and jq + run: | + sudo apt install python3-venv jq + python3 -m venv .venv + .venv/bin/pip install semgrep + + - name: Run Semgrep + run: | + source .venv/bin/activate + semgrep --config auto --severity ERROR --json-output=results.json --no-error + cat results.json | jq .results > pretty-results.json + + - name: Display Raw Semgrep JSON Output + run: | + echo "Displaying raw Semgrep results..." + cat pretty-results.json + + - name: Add comment on PR if findings are found + uses: actions/github-script@v6 + with: + script: | + // Ensure the context has a pull_request + if (context.payload.pull_request) { + const prNumber = context.payload.pull_request.number; + const fs = require('fs'); + const results = JSON.parse(fs.readFileSync('pretty-results.json', 'utf8')); + const highFindings = results.filter(result => result.extra && result.extra.severity === 'ERROR'); + + // Comment if findings exist + if (highFindings.length > 0) { + const comment = `**Semgrep Findings:** Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.`; + await github.rest.issues.createComment({ + ...context.repo, + issue_number: prNumber, + body: comment + }); + } else { + const noIssuesComment = "**Semgrep findings:** No issues found, Good to merge."; + await github.rest.issues.createComment({ + ...context.repo, + issue_number: prNumber, + body: noIssuesComment + }); + } + } else { + console.log("This workflow wasn't triggered by a pull request, so no comment will be added."); + }