Skip to content

Update dependency Jinja2 to v3.1.5 [SECURITY] #2035

Update dependency Jinja2 to v3.1.5 [SECURITY]

Update dependency Jinja2 to v3.1.5 [SECURITY] #2035

Workflow file for this run

name: semgrep
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
permissions:
pull-requests: write
jobs:
docker_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: install semgrep
env:
DEBIAN_FRONTEND: noninteractive
run: |
sudo apt-get update && sudo apt-get install jq && python3 -m pip install semgrep==1.37.0
- name: scan
id: d_scan
run: |
mkdir /home/runner/reports/ && \
semgrep --config=.github/workflows/config/semgrep-dockerfile.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ &&\
echo "## Validation Issues Found (Docker) :whale: " >> /home/runner/reports/docker-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/docker-msg && \
echo "::set-output name=found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.d_scan.outputs.found-count != 0
uses: actions/github-script@v7
with:
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/docker-msg', 'utf8');
console.log('${{steps.d_scan.outputs.found-count}} errors found in docker/docker-compose files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in Dockerfiles or docker-compose files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/[email protected]
if: failure()
with:
name: semgrep-docker-report
path: /home/runner/reports/semgrep.out
python_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: install semgrep
env:
DEBIAN_FRONTEND: noninteractive
run: |
sudo apt-get update && sudo apt-get install jq && python3 -m pip install semgrep==1.37.0
- name: run semgrep
run: |
mkdir -p /home/runner/reports/ && \
semgrep --verbose --config=.github/workflows/config/semgrep-python.yml --json -o /home/runner/reports/semgrep.out --severity ERROR ./
- name: scan
id: py_scan
run: |
echo "## Validation Issues Found (Python) :snake: " >> /home/runner/reports/python-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=python-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.py_scan.outputs.python-found-count > 0
uses: actions/github-script@v7
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/python-msg', 'utf8');
console.log('${{steps.py_scan.outputs.python-found-count}} errors found in python files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in Python files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/[email protected]
if: failure()
with:
name: semgrep-python-report
path: /home/runner/reports/semgrep.out