Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!(static-analysis): refactoring semgrep action path #43

Closed
wants to merge 1 commit into from
+95 −14
Closed

feat!(static-analysis): refactoring semgrep action path #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,6 @@ jobs:
- uses: open-turo/actions-gha/test@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: ./static-analysis/semgrep
- uses: ./static-analysis
with:
semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }}
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,13 @@ See usage [here](./docker-build/README.md#usage).

Documentation is found [here](./docker-build/README.md).

### action: [`static-analysis/semgrep`](./static-analysis/semgrep)
### action: [`static-analysis`](./static-analysis/)

Scan code changes for security vulnerabilities

See usage [here](./static-analysis/semgrep/README.md#usage).
See usage [here](./static-analysis/README.md#usage).

Documentation is found [here](./static-analysis/semgrep/README.md).
Documentation is found [here](./static-analysis/README.md).

## Get Help

Expand Down
82 changes: 82 additions & 0 deletions docs/breaking-changes/v3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Breaking Changes for v3

## Introduction

The v3 version of the open-turo/actions-security repository introduces a significant refactoring of the Semgrep configuration path. These changes are designed to enhance maintainability and consistency across consuming repositories. However, this update may require action from repositories using older configurations to prevent workflow disruptions.

## Breaking Change Details

### 1. Refactored Path for security-scan.yaml

- _What Changed_:

- The action.yaml file for Semgrep has been moved from:

open-turo/actions-security/static-analysis/semgrep@v1

_to:_

open-turo/actions-security/static-analysis@v3

- _Impact_:
- Any workflow file referencing the old path (static-analysis/semgrep@v1) will fail to locate the action and result in pipeline failures.

## Migration Instructions

### Step 1: Update Workflow Files

1. Locate all GitHub Actions workflow files in your repository referencing static-analysis/semgrep.
2. Update the uses field to point to the new path:
```yaml
- uses: open-turo/actions-security/static-analysis@v3
```

### Step 2: Validate Workflow

1. After updating the workflow, run the GitHub Actions pipeline to ensure it works as expected.
2. Monitor the pipeline logs for any issues related to the Semgrep action.

---

## Troubleshooting

### Common Errors

- _Error_: Failed to locate action: open-turo/actions-security/static-analysis/semgrep@v1

- _Solution_: Update the uses field to open-turo/actions-security/static-analysis@v2.

- _Error_: Workflow file is invalid: Unexpected value 'semgrep-app-token'
- _Solution_: Ensure the required secrets are configured correctly in your repository:
- Add SEMGREP*APP_TOKEN under \_Settings > Secrets and variables > Actions*.

---

### Debugging Tips

- Verify that your workflow file points to static-analysis@v3.
- Ensure that your repository has the latest version of the open-turo/actions-security action.

---

## Example Workflow File

Below is an example of an updated GitHub Action workflow file using v3:

```yaml
name: Security scan
on:
pull_request: {}
workflow_dispatch: {}
push:
branches: [main]
jobs:
code-scan:
name: Security scan
runs-on: [self-hosted, general-ubuntu]
steps:
- uses: actions/checkout@v4
- uses: open-turo/actions-security/static-analysis@v3
with:
semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }}
```
0 static-analysis/semgrep/README.md → static-analysis/README.md
View file
Open in desktop
File renamed without changes.
19 changes: 9 additions & 10 deletions static-analysis/semgrep/action.yaml → static-analysis/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,13 @@ runs:
- name: Checkout
if: ${{inputs.checkout-repo == 'true'}}
uses: actions/checkout@v4
- run: echo "pausing checks"
- run: |
docker run --rm -v "${PWD}:/src" \
-e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-e SEMGREP_BRANCH=${GITHUB_REF} \
-e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
returntocorp/semgrep:latest-nonroot \
semgrep ci
shell: bash
# docker run --rm -v "${PWD}:/src" \
# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
# -e SEMGREP_BRANCH=${GITHUB_REF} \
# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
# returntocorp/semgrep:latest-nonroot \
# semgrep ci
# shell: bash
Loading