From 381425726f1f4223783999db41ffb3b3cff5d66a Mon Sep 17 00:00:00 2001
From: Revanthathreya <143704329+Revanthathreya@users.noreply.github.com>
Date: Mon, 24 Feb 2025 14:25:36 +0530
Subject: [PATCH 1/2] SC-5147:Create Semgrep.yml

---
 .github/workflows/Semgrep.yml | 64 +++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 .github/workflows/Semgrep.yml

diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
new file mode 100644
index 0000000..019095a
--- /dev/null
+++ b/.github/workflows/Semgrep.yml
@@ -0,0 +1,64 @@
+name: Semgrep Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # Give write permission to PRs
+      issues: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Semgrep and jq
+        run: |
+          sudo apt install python3-venv jq
+          python3 -m venv .venv
+          .venv/bin/pip install semgrep
+
+      - name: Run Semgrep
+        run: |
+          source .venv/bin/activate
+          semgrep --config auto --severity ERROR --json-output=results.json --no-error
+          cat results.json | jq .results > pretty-results.json
+
+      - name: Display Raw Semgrep JSON Output
+        run: |
+         echo "Displaying raw Semgrep results..."
+         cat pretty-results.json
+         
+      - name: Add comment on PR if findings are found
+        uses: actions/github-script@v6
+        with:
+          script: |
+            // Ensure the context has a pull_request
+            if (context.payload.pull_request) {
+              const prNumber = context.payload.pull_request.number;
+              const fs = require('fs');
+              const results = JSON.parse(fs.readFileSync('pretty-results.json', 'utf8'));
+              const highFindings = results.filter(result => result.extra && result.extra.severity === 'ERROR');
+
+              // Comment if findings exist
+              if (highFindings.length > 0) {
+                const comment = `**Semgrep Findings:** Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.`;
+                await github.rest.issues.createComment({
+                  ...context.repo,
+                  issue_number: prNumber,
+                  body: comment
+                });
+              } else {
+                const noIssuesComment = "**Semgrep findings:** No issues found, Good to merge.";
+                await github.rest.issues.createComment({
+                  ...context.repo,
+                  issue_number: prNumber,
+                  body: noIssuesComment
+                });
+              }
+            } else {
+              console.log("This workflow wasn't triggered by a pull request, so no comment will be added.");
+            }

From 91c76800d8b817e7d4e8f82ca31490979559f284 Mon Sep 17 00:00:00 2001
From: Revanthathreya <143704329+Revanthathreya@users.noreply.github.com>
Date: Mon, 24 Feb 2025 14:36:16 +0530
Subject: [PATCH 2/2] SC-5147:Update Semgrep.yml

---
 .github/workflows/Semgrep.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
index 019095a..91f455c 100644
--- a/.github/workflows/Semgrep.yml
+++ b/.github/workflows/Semgrep.yml
@@ -2,7 +2,7 @@ name: Semgrep Scan
 
 on:
   pull_request:
-    branches:
+    branches: 
       - main
 
 jobs: