From 33737f78e6c5f3196d3d5fe0c3b63153440e99a7 Mon Sep 17 00:00:00 2001 From: Shiva Sankar Date: Mon, 10 Mar 2025 16:15:38 -0400 Subject: [PATCH] Add semgrep scan Semgrep scan for scanning docker related config --- .github/workflows/semgrep.yml | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 000000000..f7119d882 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,41 @@ +name: Semgrep - SAST Scan + +on: + pull_request_target: + types: [edited, opened, synchronize, ready_for_review] + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + container: + image: semgrep/semgrep:1.104.0 + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout semgrep-rules repo + uses: actions/checkout@v4 + with: + repository: sourcegraph/security-semgrep-rules + token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }} + path: semgrep-rules + + - name: Run Semgrep SAST Scan + run: | + mv semgrep-rules ../ + semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif