diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ad9a707..bf568a5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,6 +21,6 @@ jobs: - uses: open-turo/actions-gha/test@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: ./static-analysis/semgrep + - uses: ./static-analysis/ with: semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/README.md b/README.md index a19e67e..321f4ea 100644 --- a/README.md +++ b/README.md @@ -28,13 +28,13 @@ See usage [here](./docker-build/README.md#usage). Documentation is found [here](./docker-build/README.md). -### action: [`static-analysis/semgrep`](./static-analysis/semgrep) +### action: [`static-analysis`](./static-analysis/) Scan code changes for security vulnerabilities -See usage [here](./static-analysis/semgrep/README.md#usage). +See usage [here](./static-analysis/README.md#usage). -Documentation is found [here](./static-analysis/semgrep/README.md). +Documentation is found [here](./static-analysis/README.md). ## Get Help diff --git a/docs/breaking-changes/v3.md b/docs/breaking-changes/v3.md new file mode 100644 index 0000000..cd35f87 --- /dev/null +++ b/docs/breaking-changes/v3.md @@ -0,0 +1,82 @@ +# Breaking Changes for v3 + +## Introduction + +The v3 version of the open-turo/actions-security repository introduces a significant refactoring of the Semgrep configuration path. These changes are designed to enhance maintainability and consistency across consuming repositories. However, this update may require action from repositories using older configurations to prevent workflow disruptions. + +## Breaking Change Details + +### 1. Refactored Path for security-scan.yaml + +- _What Changed_: + + - The action.yaml file for Semgrep has been moved from: + + open-turo/actions-security/static-analysis/semgrep@v1 + + _to:_ + + open-turo/actions-security/static-analysis@v3 + +- _Impact_: + - Any workflow file referencing the old path (static-analysis/semgrep@v1) will fail to locate the action and result in pipeline failures. + +## Migration Instructions + +### Step 1: Update Workflow Files + +1. Locate all GitHub Actions workflow files in your repository referencing static-analysis/semgrep. +2. Update the uses field to point to the new path: + ```yaml + - uses: open-turo/actions-security/static-analysis@v3 + ``` + +### Step 2: Validate Workflow + +1. After updating the workflow, run the GitHub Actions pipeline to ensure it works as expected. +2. Monitor the pipeline logs for any issues related to the Semgrep action. + +--- + +## Troubleshooting + +### Common Errors + +- _Error_: Failed to locate action: open-turo/actions-security/static-analysis/semgrep@v1 + + - _Solution_: Update the uses field to open-turo/actions-security/static-analysis@v2. + +- _Error_: Workflow file is invalid: Unexpected value 'semgrep-app-token' + - _Solution_: Ensure the required secrets are configured correctly in your repository: + - Add SEMGREP*APP_TOKEN under \_Settings > Secrets and variables > Actions*. + +--- + +### Debugging Tips + +- Verify that your workflow file points to static-analysis@v3. +- Ensure that your repository has the latest version of the open-turo/actions-security action. + +--- + +## Example Workflow File + +Below is an example of an updated GitHub Action workflow file using v3: + +```yaml +name: Security scan +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: [main] +jobs: + code-scan: + name: Security scan + runs-on: [self-hosted, general-ubuntu] + steps: + - uses: actions/checkout@v4 + - uses: open-turo/actions-security/static-analysis@v3 + with: + semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }} +``` diff --git a/static-analysis/semgrep/README.md b/static-analysis/README.md similarity index 100% rename from static-analysis/semgrep/README.md rename to static-analysis/README.md diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/action.yaml similarity index 55% rename from static-analysis/semgrep/action.yaml rename to static-analysis/action.yaml index 0e5965e..46b49d3 100644 --- a/static-analysis/semgrep/action.yaml +++ b/static-analysis/action.yaml @@ -14,14 +14,13 @@ runs: - name: Checkout if: ${{inputs.checkout-repo == 'true'}} uses: actions/checkout@v4 - - run: echo "pausing checks" + - run: | + docker run --rm -v "${PWD}:/src" \ + -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ + -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ + -e SEMGREP_BRANCH=${GITHUB_REF} \ + -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ + -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ + returntocorp/semgrep:latest-nonroot \ + semgrep ci shell: bash -# docker run --rm -v "${PWD}:/src" \ -# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ -# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ -# -e SEMGREP_BRANCH=${GITHUB_REF} \ -# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ -# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ -# returntocorp/semgrep:latest-nonroot \ -# semgrep ci -# shell: bash