From 0d24aea3cb5f7629a6d742ebed01835fa98c086c Mon Sep 17 00:00:00 2001
From: "pkanoongo@turo.com" <pkanoongo@turo.com>
Date: Tue, 10 Dec 2024 12:57:46 -0600
Subject: [PATCH 1/2] feat(static-analysis): semgrep check unpausing

fix(static-analysis): fixing the failed checks

fix(static-analysis): fixing the failed checks regarding gh token

fix(static-analysis): fixing the failed checks

fix(static-analysis): fixing the failed checkss

fix(static-analysis): fixing the failed checkp

fix(static-analysis): fixing the failed checkp format

fix(static-anaysis): testing fix as suggested by semgrep team

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): testing fix as suggested by semgrep team adding fetch depth

fix(static-anaysis): adding fix suggested by semgrep support team
---
 static-analysis/semgrep/README.md   |  2 +-
 static-analysis/semgrep/action.yaml | 40 ++++++++++++++++++++---------
 2 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/static-analysis/semgrep/README.md b/static-analysis/semgrep/README.md
index dc4472d..7050bc5 100644
--- a/static-analysis/semgrep/README.md
+++ b/static-analysis/semgrep/README.md
@@ -20,7 +20,7 @@ Github Action that scans code changes being made and posts security findings in
     # Default: true
 
     semgrep-app-token:
-    # SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
+    # SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard
     #
     # Required: true
     # Default: ""
diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml
index 0e5965e..4b77836 100644
--- a/static-analysis/semgrep/action.yaml
+++ b/static-analysis/semgrep/action.yaml
@@ -7,21 +7,37 @@ inputs:
     default: "true"
   semgrep-app-token:
     required: true
-    description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
+    description: SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard
+
 runs:
   using: composite
   steps:
     - name: Checkout
-      if: ${{inputs.checkout-repo == 'true'}}
+      if: ${{ inputs.checkout-repo == 'true' }}
       uses: actions/checkout@v4
-    - run: echo "pausing checks"
+      with:
+        fetch-depth: 2
+
+    - name: Fetch Baseline Branch
+      run: |
+        set -e  # Fail on any errors
+        BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
+        echo "Fetching base branch: $BASE_BRANCH"
+        git fetch origin $BASE_BRANCH:$BASE_BRANCH
+        echo "Base branch $BASE_BRANCH fetched successfully."
+      shell: bash
+
+    - name: Run Semgrep
+      run: |
+        BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
+        echo "Running Semgrep with baseline branch: $BASE_BRANCH"
+        docker run --rm -v "${PWD}:/src" \
+        -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
+        -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
+        -e SEMGREP_BRANCH=${GITHUB_REF} \
+        -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
+        -e SEMGREP_PR_ID=${{ github.event.pull_request.number }} \
+        -e SEMGREP_BASELINE_REF=refs/heads/$BASE_BRANCH \
+        semgrep/semgrep:latest-nonroot \
+        semgrep ci
       shell: bash
-#        docker run --rm -v  "${PWD}:/src" \
-#        -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-#        -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-#        -e SEMGREP_BRANCH=${GITHUB_REF} \
-#        -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-#        -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
-#        returntocorp/semgrep:latest-nonroot \
-#        semgrep ci
-#      shell: bash

From de570a5310e5cfa6f98b868f6d305ababc55ed85 Mon Sep 17 00:00:00 2001
From: "pkanoongo@turo.com" <pkanoongo@turo.com>
Date: Fri, 13 Dec 2024 18:16:19 -0600
Subject: [PATCH 2/2] feat(static-analysis): resuming semgrep diff-aware checks

---
 static-analysis/semgrep/README.md   |  6 +++---
 static-analysis/semgrep/action.yaml | 29 +++++++----------------------
 2 files changed, 10 insertions(+), 25 deletions(-)

diff --git a/static-analysis/semgrep/README.md b/static-analysis/semgrep/README.md
index 7050bc5..157d8d9 100644
--- a/static-analysis/semgrep/README.md
+++ b/static-analysis/semgrep/README.md
@@ -4,7 +4,7 @@
 <!-- action-docs-description source="action.yaml" -->
 ## Description
 
-Github Action that scans code changes being made and posts security findings in form of comments on pull requests
+GitHub Action that scans code changes being made and posts security findings as comments on pull requests.
 <!-- action-docs-description source="action.yaml" -->
 
 <!-- action-docs-usage source="action.yaml" -->
@@ -14,13 +14,13 @@ Github Action that scans code changes being made and posts security findings in
 - uses: @
   with:
     checkout-repo:
-    # Perform checkout as first step
+    # Perform checkout as the first step
     #
     # Required: false
     # Default: true
 
     semgrep-app-token:
-    # SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard
+    # Semgrep API token to pull the latest rule configuration from the ruleboard in Semgrep UI.
     #
     # Required: true
     # Default: ""
diff --git a/static-analysis/semgrep/action.yaml b/static-analysis/semgrep/action.yaml
index 4b77836..60e02a1 100644
--- a/static-analysis/semgrep/action.yaml
+++ b/static-analysis/semgrep/action.yaml
@@ -1,43 +1,28 @@
 name: Run static code analysis
-description: Github Action that scans code changes being made and posts security findings in form of comments on pull requests
+description: GitHub Action that scans code changes being made and posts security findings as comments on pull requests.
 inputs:
   checkout-repo:
-    description: Perform checkout as first step
+    description: Perform checkout as the first step
     required: false
     default: "true"
   semgrep-app-token:
     required: true
-    description: SemGrep API token to pull the latest rule configuration from Semgrep's ruleboard
-
+    description: Semgrep API token to pull the latest rule configuration from the ruleboard in Semgrep UI.
 runs:
   using: composite
   steps:
-    - name: Checkout
-      if: ${{ inputs.checkout-repo == 'true' }}
-      uses: actions/checkout@v4
+    - uses: actions/checkout@v4
       with:
-        fetch-depth: 2
-
-    - name: Fetch Baseline Branch
-      run: |
-        set -e  # Fail on any errors
-        BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
-        echo "Fetching base branch: $BASE_BRANCH"
-        git fetch origin $BASE_BRANCH:$BASE_BRANCH
-        echo "Base branch $BASE_BRANCH fetched successfully."
-      shell: bash
+        fetch-depth: 2 # Fetch only the last two commits for efficient diff comparison
 
-    - name: Run Semgrep
-      run: |
-        BASE_BRANCH=$(jq -r '.pull_request.base.ref // "main"' < "${GITHUB_EVENT_PATH}")
-        echo "Running Semgrep with baseline branch: $BASE_BRANCH"
+    - run: |
         docker run --rm -v "${PWD}:/src" \
         -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
         -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
         -e SEMGREP_BRANCH=${GITHUB_REF} \
         -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
         -e SEMGREP_PR_ID=${{ github.event.pull_request.number }} \
-        -e SEMGREP_BASELINE_REF=refs/heads/$BASE_BRANCH \
+        -e SEMGREP_BASELINE_REF='HEAD^' \
         semgrep/semgrep:latest-nonroot \
         semgrep ci
       shell: bash