From 0470b321d8208155cc78e7ee92dfe1d21e7066ba Mon Sep 17 00:00:00 2001 From: Prathamesh Chitodkar Date: Wed, 27 Sep 2023 18:05:04 +0000 Subject: [PATCH] refactor: move static code analyis action and add env vars to refactor results in semgrep ui --- static-analysis/action.yaml | 51 +++++++++++++++-------------- static-analysis/semgrep/action.yaml | 27 +++++++++++++++ 2 files changed, 54 insertions(+), 24 deletions(-) diff --git a/static-analysis/action.yaml b/static-analysis/action.yaml index 199084e..16255df 100644 --- a/static-analysis/action.yaml +++ b/static-analysis/action.yaml @@ -1,24 +1,27 @@ -name: Run static code analysis -description: Github Action that scans code changes being made and posts security findings in form of comments on pull requests -inputs: - checkout-repo: - description: Perform checkout as first step - required: false - default: "true" - semgrep-app-token: - required: true - description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI -runs: - using: composite - steps: - - name: Checkout - if: ${{inputs.checkout-repo == 'true'}} - uses: actions/checkout@v3 - - name: Run semgrep - run: | - docker run --rm -v "${PWD}:/src" \ - -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ - -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ - returntocorp/semgrep:latest-nonroot \ - semgrep ci - shell: bash +#name: Run static code analysis +#description: Github Action that scans code changes being made and posts security findings in form of comments on pull requests +#inputs: +# checkout-repo: +# description: Perform checkout as first step +# required: false +# default: "true" +# semgrep-app-token: +# required: true +# description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI +#runs: +# using: composite +# steps: +# - name: Checkout +# if: ${{inputs.checkout-repo == 'true'}} +# uses: actions/checkout@v3 +# - name: Run semgrep +# run: | +# docker run --rm -v "${PWD}:/src" \ +# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ +# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ +# -e SEMGREP_BRANCH=${GITHUB_REF} \ +# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ +# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ +# returntocorp/semgrep:latest-nonroot \ +# semgrep ci +# shell: bash diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml index aae0b50..c2e015e 100644 --- a/static-analysis/semgrep/action.yaml +++ b/static-analysis/semgrep/action.yaml @@ -1,3 +1,30 @@ +name: Run static code analysis +description: Github Action that scans code changes being made and posts security findings in form of comments on pull requests +inputs: + checkout-repo: + description: Perform checkout as first step + required: false + default: "true" + semgrep-app-token: + required: true + description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI +runs: + using: composite + steps: + - name: Checkout + if: ${{inputs.checkout-repo == 'true'}} + uses: actions/checkout@v3 + - name: Run semgrep + run: | + docker run --rm -v "${PWD}:/src" \ + -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ + -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ + -e SEMGREP_BRANCH=${GITHUB_REF} \ + -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ + -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ + returntocorp/semgrep:latest-nonroot \ + semgrep ci + shell: bash #name: Build semgrep container #description: GitHub Action that builds semgrep container using returntocorp/semgrep image and passses semgrep command as args #inputs: