diff --git a/static-analysis/README.md b/static-analysis/README.md index 7e60280..60346f6 100644 --- a/static-analysis/README.md +++ b/static-analysis/README.md @@ -1,4 +1,4 @@ -# GitHub Action Static Analysis Preview +# GitHub Action Static Security Scan Analysis ## Description @@ -16,7 +16,7 @@ Step 3: Add a [Workflow File](https://help.github.com/en/articles/workflow-synta ```yaml # Name of this GitHub Actions workflow. -name: Static code analysis using Semgrep +name: Static code analysis on: # Scan changed files in PRs (diff-aware scanning): @@ -34,7 +34,7 @@ on: jobs: static-code-anaylsis: # User definable name of this GitHub Actions job. - name: Static code analysis using Semgrep + name: Security scan steps: # Fetch project source with GitHub Actions Checkout. - uses: actions/checkout@v3 @@ -60,4 +60,4 @@ N/A ## Notes -N/A +- By default, this action will perform actions/checkout as its first step. diff --git a/static-analysis/action.yaml b/static-analysis/action.yaml index 9287dc6..a38c0a9 100644 --- a/static-analysis/action.yaml +++ b/static-analysis/action.yaml @@ -11,12 +11,17 @@ inputs: runs: using: composite steps: - - run: echo "pausing checks" + - name: Checkout + if: ${{inputs.checkout-repo == 'true'}} + uses: actions/checkout@v3 + - name: Run semgrep + run: | + docker run --rm -v "${PWD}:/src" \ + -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \ + -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \ + -e SEMGREP_BRANCH=${GITHUB_REF} \ + -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \ + -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \ + returntocorp/semgrep:latest-nonroot \ + semgrep ci shell: bash -# - name: Checkout -# if: ${{inputs.checkout-repo == 'true'}} -# uses: actions/checkout@v3 -# - name: Run semgrep -# uses: ${GITHUB_ACTION_PATH}/static-analysis/semgrep -# with: -# semgrep-app-token: ${{ inputs.semgrep-app-token }} diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml deleted file mode 100644 index 7a3488c..0000000 --- a/static-analysis/semgrep/action.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: Build semgrep container -description: GitHub Action that builds semgrep container using returntocorp/semgrep image and passses semgrep command as args -inputs: - semgrep-app-token: - required: true - description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI -runs: - using: composite - steps: - - run: echo "pausing checks" - shell: bash -# using: docker -# image: docker://returntocorp/semgrep -# args: -# - semgrep -# - ci -# env: -# SEMGREP_APP_TOKEN: ${{ inputs.semgrep-app-token }}