Skip to content

Commit

Permalink
fix: resume semgrep checks by using running image as non-root user
Browse files Browse the repository at this point in the history
refactor: passing image name

feat: use latest semgrep image that runs as nonroot user to unpause checks

fix: remove explicit user attribute

fix: build semgrep container as part of same action

fix: use shell option within run

refactor: move static code analyis action and add env vars to refactor results in semgrep ui

refactor: merge action into one step

refactor(static-analysis): move semgrep action into static-analysis

refactor: refactor static-analysis action and update readme
  • Loading branch information
prathamesh16c committed Jan 31, 2024
1 parent 2d17921 commit c843426
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 30 deletions.
8 changes: 4 additions & 4 deletions static-analysis/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# GitHub Action Static Analysis Preview
# GitHub Action Static Security Scan Analysis

## Description

Expand All @@ -16,7 +16,7 @@ Step 3: Add a [Workflow File](https://help.github.com/en/articles/workflow-synta

```yaml
# Name of this GitHub Actions workflow.
name: Static code analysis using Semgrep
name: Static code analysis

on:
# Scan changed files in PRs (diff-aware scanning):
Expand All @@ -34,7 +34,7 @@ on:
jobs:
static-code-anaylsis:
# User definable name of this GitHub Actions job.
name: Static code analysis using Semgrep
name: Security scan
steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
Expand All @@ -60,4 +60,4 @@ N/A

## Notes

N/A
- By default, this action will perform actions/checkout as its first step.
21 changes: 13 additions & 8 deletions static-analysis/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,17 @@ inputs:
runs:
using: composite
steps:
- run: echo "pausing checks"
- name: Checkout
if: ${{inputs.checkout-repo == 'true'}}
uses: actions/checkout@v3
- name: Run semgrep
run: |
docker run --rm -v "${PWD}:/src" \
-e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-e SEMGREP_BRANCH=${GITHUB_REF} \
-e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
returntocorp/semgrep:latest-nonroot \
semgrep ci
shell: bash
# - name: Checkout
# if: ${{inputs.checkout-repo == 'true'}}
# uses: actions/checkout@v3
# - name: Run semgrep
# uses: ${GITHUB_ACTION_PATH}/static-analysis/semgrep
# with:
# semgrep-app-token: ${{ inputs.semgrep-app-token }}
18 changes: 0 additions & 18 deletions static-analysis/semgrep/action.yaml

This file was deleted.

0 comments on commit c843426

Please sign in to comment.