Skip to content

Commit

Permalink
feat(static-analysis): semgrep check unpausing
Browse files Browse the repository at this point in the history
fix(static-analysis): fixing the failed checks

fix(static-analysis): fixing the failed checks regarding gh token

fix(static-analysis): fixing the failed checks

fix(static-analysis): fixing the failed checkss

fix(static-analysis): fixing the failed checkp

fix(static-analysis): fixing the failed checkp format

fix(static-anaysis): testing fix as suggested by semgrep team

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): adding fix suggested by semgrep support team
  • Loading branch information
pkanoongo committed Dec 17, 2024
1 parent e47ac62 commit b5e1c10
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 13 deletions.
2 changes: 1 addition & 1 deletion static-analysis/semgrep/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Github Action that scans code changes being made and posts security findings in
# Default: true

semgrep-app-token:
# SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
# SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard
#
# Required: true
# Default: ""
Expand Down
40 changes: 28 additions & 12 deletions static-analysis/semgrep/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,37 @@ inputs:
default: "true"
semgrep-app-token:
required: true
description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
description: SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard

runs:
using: composite
steps:
- name: Checkout
if: ${{inputs.checkout-repo == 'true'}}
if: ${{ inputs.checkout-repo == 'true' }}
uses: actions/checkout@v4
- run: echo "pausing checks"
with:
fetch-depth: 2

- name: Fetch Baseline Branch
run: |
set -e # Fail on any errors
BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
echo "Fetching base branch: $BASE_BRANCH"
git fetch origin $BASE_BRANCH:$BASE_BRANCH
echo "Base branch $BASE_BRANCH fetched successfully."
shell: bash

- name: Run Semgrep
run: |
BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
echo "Running Semgrep with baseline branch: $BASE_BRANCH"
docker run --rm -v "${PWD}:/src" \
-e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-e SEMGREP_BRANCH=${GITHUB_REF} \
-e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-e SEMGREP_PR_ID=${{ github.event.pull_request.number }} \
-e SEMGREP_BASELINE_REF=refs/heads/$BASE_BRANCH \
semgrep/semgrep:latest-nonroot \
semgrep ci
shell: bash
# docker run --rm -v "${PWD}:/src" \
# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
# -e SEMGREP_BRANCH=${GITHUB_REF} \
# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
# returntocorp/semgrep:latest-nonroot \
# semgrep ci
# shell: bash

0 comments on commit b5e1c10

Please sign in to comment.