Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(static-analysis): fixing diff aware scanning for semgrep #45

Merged
merged 2 commits into from
Dec 17, 2024
Merged

fix(static-analysis): fixing diff aware scanning for semgrep #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0d24aea
feat(static-analysis): semgrep check unpausing
pkanoongo Dec 10, 2024
de570a5
feat(static-analysis): resuming semgrep diff-aware checks
pkanoongo Dec 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions static-analysis/semgrep/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<!-- action-docs-description source="action.yaml" -->
## Description

Github Action that scans code changes being made and posts security findings in form of comments on pull requests
GitHub Action that scans code changes being made and posts security findings as comments on pull requests.
<!-- action-docs-description source="action.yaml" -->

<!-- action-docs-usage source="action.yaml" -->
Expand All @@ -14,13 +14,13 @@ Github Action that scans code changes being made and posts security findings in
- uses: @
with:
checkout-repo:
# Perform checkout as first step
# Perform checkout as the first step
#
# Required: false
# Default: true

semgrep-app-token:
# SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
# Semgrep API token to pull the latest rule configuration from the ruleboard in Semgrep UI.
#
# Required: true
# Default: ""
Expand Down
33 changes: 17 additions & 16 deletions static-analysis/semgrep/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,28 @@
name: Run static code analysis
description: Github Action that scans code changes being made and posts security findings in form of comments on pull requests
description: GitHub Action that scans code changes being made and posts security findings as comments on pull requests.
inputs:
checkout-repo:
description: Perform checkout as first step
description: Perform checkout as the first step
required: false
default: "true"
semgrep-app-token:
required: true
description: SemGrep API token to be added to repo that allows to pull latest rule config from ruleboard in Semgrep UI
description: Semgrep API token to pull the latest rule configuration from the ruleboard in Semgrep UI.
runs:
using: composite
steps:
- name: Checkout
if: ${{inputs.checkout-repo == 'true'}}
uses: actions/checkout@v4
- run: echo "pausing checks"
- uses: actions/checkout@v4
with:
fetch-depth: 2 # Fetch only the last two commits for efficient diff comparison

- run: |
docker run --rm -v "${PWD}:/src" \
-e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
-e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
-e SEMGREP_BRANCH=${GITHUB_REF} \
-e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
-e SEMGREP_PR_ID=${{ github.event.pull_request.number }} \
-e SEMGREP_BASELINE_REF='HEAD^' \
semgrep/semgrep:latest-nonroot \
semgrep ci
shell: bash
# docker run --rm -v "${PWD}:/src" \
# -e SEMGREP_APP_TOKEN=${{ inputs.semgrep-app-token }} \
# -e SEMGREP_REPO_NAME=${GITHUB_REPOSITORY} \
# -e SEMGREP_BRANCH=${GITHUB_REF} \
# -e SEMGREP_COMMIT=${{ github.event.pull_request.head.sha }} \
# -e SEMGREP_PR_ID=${{github.event.pull_request.number}} \
# returntocorp/semgrep:latest-nonroot \
# semgrep ci
# shell: bash
Loading