Skip to content

Commit

Permalink
Adding Semgrep SAST Scanner (#2552)
Browse files Browse the repository at this point in the history 
This pull request adds Semgrep SAST scanner which scans pull request
(code changes) and this would be **non-blocking, non-mandatory check**.
This scan should ideally take less than ~2 minutes to execute and report
results directly to the pull request.

### **Note:**
1. _**Initially this semgrep scan will be non-blocking, non-mandatory
check for merging the pull request.**_

### Rollout plan

1. Merge this SAST Scan check, keep executing on pull request and
monitor for errors.
2. Connect `code scanning alert`
[webhook](https://docs.github.com/en/webhooks/webhook-events-and-payloads#code_scanning_alert)
to SIEM, Slack alert notification.
3. Communicate in `discuss-cody` & `announce-security` about semgrep
scan, how to resolve issues.
4. Make this scan as required check before merging branches to `main` &
release branch
5. If something goes wrong, revert this pull request and disable
mandatory check.

## Test plan

- [x] Ensure Semgrep SAST is executing actively in github action CI
- [x] Ensure Semgrep reports vulnerabilities and upload results to code
scanning

<!-- Required. See
https://sourcegraph.com/docs/dev/background-information/testing_principles.
-->
  • Loading branch information
@shivasurya
shivasurya authored Jan 4, 2024
1 parent 7c492ea commit 09c4ad4
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions .github/workflows/semgrep.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Semgrep - SAST Scan

on: [pull_request]

jobs:
semgrep:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep

steps:
- uses: actions/checkout@v3

- name: Checkout semgrep-rules repo
uses: actions/checkout@v3
with:
repository: sourcegraph/security-semgrep-rules
token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
path: semgrep-rules

- name: Run Semgrep SAST Scan
run: |
semgrep ci -f semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

0 comments on commit 09c4ad4

Please sign in to comment.