From b3a37b19443c0ea5b749be3808a610b462679f76 Mon Sep 17 00:00:00 2001 From: Xavier Tremblay Date: Wed, 18 Jan 2023 16:01:47 -0500 Subject: [PATCH] [TECH-133] Add semgrep to pull requests (#8) --- .github/workflows/codeql.yml | 35 -------------------- .github/workflows/semgrep-full-scan.yaml | 37 ++++++++++++++++++++++ .github/workflows/semgrep-pull-request.yml | 25 +++++++++++++++ 3 files changed, 62 insertions(+), 35 deletions(-) delete mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/semgrep-full-scan.yaml create mode 100644 .github/workflows/semgrep-pull-request.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 0a6ad4a..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: CodeQL - -on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - schedule: - - cron: "12 1 * * 0" - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: csharp - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:csharp" \ No newline at end of file diff --git a/.github/workflows/semgrep-full-scan.yaml b/.github/workflows/semgrep-full-scan.yaml new file mode 100644 index 0000000..386944c --- /dev/null +++ b/.github/workflows/semgrep-full-scan.yaml @@ -0,0 +1,37 @@ +name: Semgrep Full Scan + +on: + workflow_dispatch: + branches: + - main + schedule: + - cron: '0 9 * * 6' + +jobs: + semgrep-full: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + + steps: + - name: clone application source code + uses: actions/checkout@v3 + + - name: full scan + run: | + semgrep \ + --sarif --output report.sarif \ + --metrics=off \ + --config="p/default" + + - name: save report as pipeline artifact + uses: actions/upload-artifact@v3 + with: + name: report.sarif + path: report.sarif + + - name: publish code scanning alerts + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: report.sarif + category: semgrep \ No newline at end of file diff --git a/.github/workflows/semgrep-pull-request.yml b/.github/workflows/semgrep-pull-request.yml new file mode 100644 index 0000000..868be1c --- /dev/null +++ b/.github/workflows/semgrep-pull-request.yml @@ -0,0 +1,25 @@ +name: Semgrep Pull Request Scan +on: + pull_request: + branches: [ "main" ] + +jobs: + semgrep-diff: + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + + steps: + - name: clone application source code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: pull request scan + run: | + semgrep scan \ + --error \ + --verbose \ + --time \ + --baseline-commit ${{ github.event.pull_request.base.sha }} \ + --config="p/default" \ No newline at end of file