v38 #1145
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: semgrep | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
permissions: | |
pull-requests: write | |
jobs: | |
docker_scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: install semgrep | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
run: | | |
sudo apt-get update && sudo apt-get install jq && python3 -m pip install semgrep==1.37.0 | |
- name: scan | |
id: d_scan | |
run: | | |
mkdir /home/runner/reports/ && \ | |
semgrep --config=.github/workflows/config/semgrep-dockerfile.yml --json -o /home/runner/reports/semgrep.out \ | |
--severity ERROR ./ &&\ | |
echo "## Validation Issues Found (Docker) :whale: " >> /home/runner/reports/docker-msg && \ | |
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/docker-msg && \ | |
echo "::set-output name=found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')" | |
- name: Fail if found | |
if: steps.d_scan.outputs.found-count != 0 | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const fs = require('fs') | |
var msg = fs.readFileSync('/home/runner/reports/docker-msg', 'utf8'); | |
console.log('${{steps.d_scan.outputs.found-count}} errors found in docker/docker-compose files'); | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: msg | |
}); | |
core.setFailed('Semgrep found errors in Dockerfiles or docker-compose files. Please check the uploaded report'); | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: semgrep-docker-report | |
path: /home/runner/reports/semgrep.out | |
python_scan: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: install semgrep | |
env: | |
DEBIAN_FRONTEND: noninteractive | |
run: | | |
sudo apt-get update && sudo apt-get install jq && python3 -m pip install semgrep==1.37.0 | |
- name: run semgrep | |
run: | | |
mkdir -p /home/runner/reports/ && \ | |
semgrep --verbose --config=.github/workflows/config/semgrep-python.yml --json -o /home/runner/reports/semgrep.out --severity ERROR ./ | |
- name: scan | |
id: py_scan | |
run: | | |
echo "## Validation Issues Found (Python) :snake: " >> /home/runner/reports/python-msg && \ | |
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \ | |
echo "::set-output name=python-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')" | |
- name: Fail if found | |
if: steps.py_scan.outputs.python-found-count > 0 | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const fs = require('fs') | |
var msg = fs.readFileSync('/home/runner/reports/python-msg', 'utf8'); | |
console.log('${{steps.py_scan.outputs.python-found-count}} errors found in python files'); | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: msg | |
}); | |
core.setFailed('Semgrep found errors in Python files. Please check the uploaded report'); | |
- name: Upload scan reports | |
uses: actions/[email protected] | |
if: failure() | |
with: | |
name: semgrep-python-report | |
path: /home/runner/reports/semgrep.out | |