diff --git a/static-analysis/semgrep/README.md b/static-analysis/semgrep/README.md index dc4472d..7050bc5 100644 --- a/static-analysis/semgrep/README.md +++ b/static-analysis/semgrep/README.md @@ -20,7 +20,7 @@ Github Action that scans code changes being made and posts security findings in # Default: true semgrep-app-token: - # SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI + # SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard # # Required: true # Default: "" diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml index 0e5965e..4b77836 100644 --- a/static-analysis/semgrep/action.yaml +++ b/static-analysis/semgrep/action.yaml @@ -7,21 +7,37 @@ inputs: default: "true" semgrep-app-token: required: true - description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI + description: SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard + runs: using: composite steps: - name: Checkout - if: ${{inputs.checkout-repo == 'true'}} + if: ${{ inputs.checkout-repo == 'true' }} uses: actions/checkout@v4 - - run: echo "pausing checks" + with: + fetch-depth: 2 + + - name: Fetch Baseline Branch + run: | + set -e # Fail on any errors + BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}") + echo "Fetching base branch: $BASE_BRANCH" + git fetch origin $BASE_BRANCH:$BASE_BRANCH + echo "Base branch $BASE_BRANCH fetched successfully." + shell: bash + + - name: Run Semgrep + run: | + BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}") + echo "Running Semgrep with baseline branch: $BASE_BRANCH" + docker run --rm -v "${PWD}:/src" \ + -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ + -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ + -e SEMGREP_BRANCH=${GITHUB_REF} \ + -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ + -e SEMGREP_PR_ID=${{ github.event.pull_request.number }} \ + -e SEMGREP_BASELINE_REF=refs/heads/$BASE_BRANCH \ + semgrep/semgrep:latest-nonroot \ + semgrep ci shell: bash -# docker run --rm -v "${PWD}:/src" \ -# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ -# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ -# -e SEMGREP_BRANCH=${GITHUB_REF} \ -# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ -# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ -# returntocorp/semgrep:latest-nonroot \ -# semgrep ci -# shell: bash